As the threat of disruptions increases, the need for operational resilience - the ability for organizations to quickly adapt to changing environments - is of paramount importance. This is particularly true in the financial services sector.
Resilience - Prevention + Adaptation
Decisive steps to prevent a disruption, including detective and preventative controls, are essential. However, while prevention is still a key component of any resilience strategy, firms also need to adopt comprehensive measures that can provide for an orderly recovery and resumption of operations following a disruptive event, with minimal impact to the marketplace. A clear understanding of how all business and technical processes work from beginning to end (including an understanding of the vendors used in the supply chain) is necessary to ensure a rapid, yet safe, recovery of service in the event of a market disruption.
Regulation of Third Parties
The trend in technology has moved to a more service-oriented model, whereby several providers are fulfilling the needs of many companies, rather than those companies develop the services themselves. This is why it is critical that, when we speak about operational resilience, we need to consider the prevalence of third parties and other outsourced providers who may support the processing of financial transactions. When looking at the changing structure of the financial services sector, how can we ensure that third-party vendors provide the same level of protection required of financial firms themselves? Risk protection needs to be the same regardless of who is providing the financial service.
What is the resilience of the outsourced firms? How would an interruption of their business affect the supply chain? While we can gain an understanding of the control structure of a third party, it is much harder to identify how quickly an outsourced provider can return their operations online after a major disruptive event. One option is the use of the Financial Services Sector Cybersecurity Profile, which will allow third-party and outsourced service providers to demonstrate cybersecurity compliance. The Profile provides insight into the provider’s preparedness and recovery capabilities in the wake of a disruption.
An appropriate oversight model for third parties will require a joint effort between supervisors and the financial sector. Initiatives are needed to instill a level of confidence that these vendors can recover operations in an allotted timeframe. These efforts can include further regulatory coordination, as well as licensing and accreditation requirements. Additionally, it should be noted that, in some cases, certain third parties may exit the business or not support certain sectors if the risk doesn’t meet their business model or profitability objectives.
There is a strong need for international consensus from global regulators as we build resiliency, and this must be done in partnership with businesses in the financial sector. Proposals on how best to accomplish resiliency objectives are being discussed at global levels, between the International Organization of Securities Commissions, the Financial Stability Board, and the Basel Committee on Banking Supervision along with the sector to develop a consistent, yet risk-based set of principles. But we still have much more work to accomplish.
Interruptions - regardless of nature or origin – are inevitable and pose a threat to our business models. In order to achieve operational resilience, key areas of focus going forward will be continued regulatory coordination and a coordinated framework for third-parties. At DTCC, we have long considered resilience an integral part of our business strategy, and we continually evaluate impacts to our business.