Operational resilience: are you ready?
Insurer Update - Summer 2024
Publication:
Insurer Update
The growing threats of cyber attacks and operational risks against a complex geopolitical backdrop are sharpening the focus of regulators. We summarise what firms must do by the March IBS deadline.
Both the PRA’s Insurance Supervision: 2024 Priorities and the FCA’s Business Plan 2024/25 highlight the challenging environment and emphasise their ongoing commitment to operational resilience.
With regulatory topics like Consumer Duty, multi-occupancy buildings insurance and gap insurance taking the limelight in recent years, the regulators’ efforts on resilience are expected to intensify through the rest of 2024 and leading up to the 31 March 2025 deadline.
By March, insurers and other in-scope firms must be able to operate and maintain their important business services (IBS) within their defined impact tolerances. This marks the end of a three-year transition period when firms were expected to refine and test their operational resilience frameworks.
With the clock rapidly ticking, it’s important to be prepared. The FCA recently published some helpful insights and firms are encouraged to consider these as they assess their readiness.
We summarise the FCA insights below, along with questions firms may want to ask.
FCA insights | Questions for firms |
Important business services (IBS) |
- Inconsistency in firms identifying their IBS appropriately
- Need to look at all factors when identifying IBS. SYSC 15A.2.4 lists a minimum 13 different factors to be considered
- Rationale and justification for IBS should be documented in firms’ self-assessments
| - Have there been any changes to your business model or the services you provide? And have these been considered from an operational resilience perspective?
- Have any changes impacted the minimum factors that would influence your identification of an IBS?
- Is your consideration of, and conclusion on, each of the minimum factors clearly documented?
- Does your self-assessment document provide enough information about the IBS you have selected / not selected and your reasons?
|
Impact tolerances |
- Wide range of impact tolerances identified by firms with limited rationale – this should be documented in firms’ self-assessments
- Many firms setting time-bound tolerances – firms should consider other measures to complement this
- Impact tolerances differ from recovery time objectives (RTOs) which means the maximum time to recover the service. To avoid intolerable harm, processing must take place once the recovery of service is complete
| - How well have you explained and justified the impact tolerances you have established? Does the Board understand clearly what has been set and why?
- Other than time-bound tolerances, what additional metrics have you considered or established, (eg numbers or types of customers or transactions affected)?
- Have you looked at the interaction between impact tolerances and RTOs? RTOs will typically need to be set well within impact tolerances
|
Mapping and third parties |
- Mapping expected to have matured over time
- Where third parties support or deliver IBS and fail to remain within impact tolerance, this is still the responsibility of firms
- Relationships with third parties should be actively managed
- Detailed mapping should help firms to identify vulnerabilities
| - Have there been any changes to people, processes, technology, facilities and information that need to be reflected in your mapping?
- Have all relevant third parties been captured in your mapping?
- Where you rely on third parties to provide an IBS, how well do you understand their people, processes, technology, facilities and information?~
- Have you established appropriate governance and controls around critical third-party relationships to manage these on an ongoing basis?
- Have you revisited your mapping to see if any new dependencies or vulnerabilities have emerged?
|
Scenario testing |
- Firms should consider the five minimum scenarios in SYSC 15A.5.6
- Testing expected to have matured and become more sophisticated over time. Includes increasing the severity of disruption to fully understand the effectiveness of response and recovery plans and the severity at which the firm can no longer remain within impact tolerance
- Firms should mature the format and type of testing – evolve from judgement, desk-based scenario tests to a wider range of tests (eg penetration tests, disaster recovery / failover tests, simulations, lessons learned from real scenarios
- Testing should include third parties
- Should perform horizon scanning to develop understanding of new and emerging risks – this will inform testing
| - Has the testing so far considered the minimum scenarios?
- Have you completed the testing plan originally established? And has this evolved and matured over time, including testing against greater levels of severity?
- Have you performed different types of tests, including live simulations?
- To what extent has your testing involved third parties?
|
Vulnerabilities and remediation | |
- Vulnerabilities identified early in transition period should have been remediated (or significantly progressed) and re-tested to verify that vulnerabilities have been resolved
- Remediation plans should be approved, fully-funded and governed
- As mapping and scenario testing matures, vulnerabilities should be reviewed regularly. Any new vulnerabilities should be remediated
| - Have you addressed any vulnerabilities identified from the testing to date?
- Have you re-tested these vulnerabilities and used different scenarios or severities to prove the vulnerability has been remediated?
- Are there any remaining vulnerabilities? And do you have an approved and fully-funded remediation plan? What is the governance that ensures completion by March 2025?
|
Response and recovery plans |
- Response plans are important as they can buy time for recovery plans to complete and may help to avoid breaching impact tolerance
- There is limited testing of response plans
| - Do you have response plans setting out your initial reaction to an operational incident?
- Does your response plan consider management actions / decision-making and the necessary communications?
- Have you tested your response plan?
|
Governance and self-assessment |
- Self-assessment must include minimum requirements in SYSC 15A.6.1 and detail firms’ journeys to operational resilience
- Expected to mature and develop over time
- From a governance perspective, firms must provide sufficient information and justifications on the determinations, decisions and plans to ensure continued resilience. This allows governing body members to understand firms’ positions and roadmaps to resilience
- Should highlight any concerns and document the remediation work needed
| - Is your self-assessment up to date and does it contain the minimum requirements?
- Does the self-assessment reflect the journey (eg from March 2021 to date), and the actions the firm has taken to improve its operational resilience?
- Is the self-assessment clear and does it provide sufficient information to inform your Board?
- Has your self-assessment been subject to any assurance (eg from internal audit or external parties)?
- Does your self-assessment provide a realistic view of any remaining vulnerabilities and the actions you need to take?
|
Embedding operational resilience |
- Requirement to be operationally resilient is not a ‘one and done’ activity or seen as a tick-box regulatory compliance – it should be embedded into overall firm culture
- Should be embedded into firms’ ERM frameworks, including change management and strategic planning
- As part of BAU, firms should be reviewing IBS, impact tolerances and mapping regularly (at least annually or if there is a material change to business or market) – as well as regular testing
| - Is consideration of operational resilience sufficiently prominent, eg part of Board and management discussions and decision-making? Is it front of mind?
- How have operational resilience risks been incorporated into your ERM framework, risk registers, etc?
- Is operational resilience given sufficient consideration in strategic planning and change activities?
- Have you implemented a regular cycle of reviewing and testing your operational resilience?
|
What’s the impact in Gibraltar?
Operational resilience requirements are well established in the UK, but now we’re starting to see them replicated in other jurisdictions, like Gibraltar, where the Financial Services (Operational Resilience) Regulations 2023 were introduced. Under these, firms had until 13 July this year to identify IBS and set impact tolerances. They now have a two-year transition period to July 2026. By then they should have sound, effective and comprehensive strategies, processes, and systems that mean they can address risks to their ability to remain within their impact tolerance for each IBS, in the event of a severe but plausible disruption.
Operational resilience and the plan for the forthcoming thematic review were discussed at the GFSC Insurance Industry Event earlier this year. The key messages were that firms should have:
- Identified their IBS and set impact tolerances for each
- Mapping and scenarios testing programmes should have started
- Mapping should include all critical resources, internal and external dependences for people, processes, technology, data and facilities
- Mapping and scenario testing should evolve with senior management and Board-level involvement
- Scenario testing must assume disruption has occurred. The higher the impact of the disruption, the less likely desktop testing will be sufficient
- Firms should allow sufficient time to identify and address vulnerabilities and build resilience by completing the testing earlier
- Firms must demonstrate the lessons learned and acknowledge any failures in their approach.
In conclusion, it is clear that, in both UK and Gibraltar, there is a lot of work that firms still need to do to reach regulatory requirements and expectations in this area. Combined with the growing threats of cyber risk and operational risks, it is important that firms and their boards pay close attention to make sure they are operationally resilient.
For further advice on issues raised in this article, please contact Jessica Wills.