On March 29, 2021, the Financial Conduct Authority (FCA) published final rules that will create a new operational resilience framework for banks, building societies, solvency II firms, recognized investment exchanges, enhanced scope senior managers and certification regime firms, and those authorized or registered under the Payment Services Regulations 2017 or Electronic Money Regulations 2011. The new rules will apply from March 31, 2022 and will require firms to identify important business services and set maximum impact tolerances.

The Prudential Regulation Authority (PRA) also published its final Policy Statement (PS) 6/21 alongside the FCA. This includes new Operational Resilience Parts of the PRA Rulebook and a new Supervisory Statement (SS), both of which are also effective from March 31, 2022.

A hostile cyber environment was identified by the FCA and PRA in their joint discussion paper as one of the key challenges to becoming resilient. Cyber risk has therefore been a key driver to the introduction of operational resilience rules. These new rules (together with the Bank of England’s Financial Policy Committee’s proposed standards for response to cyber incidents) will require regulated firms to look deeply into their information security and cyber security defenses beyond what is currently required by the GDPR. This should result in greater protection and safeguarding of the personal data of its account holders and other individuals, thereby satisfying the main pillar of financial regulation which is to protect consumers.

 Our recent client alert lays out the requirements firms should follow in order to prevent, adapt to, respond to and learn from threats to and vulnerabilities in their operational resilience framework.