London, 8 October 2018 – The World Federation of Exchanges ("WFE"), the global industry group for exchanges and CCPs, has published its response to the BoE-FCA-PRA Discussion Paper on Operational Resilience. The discussion paper calls on firms to demonstrate their operational resilience in the event of a cyber-attack or IT disruption.
The key points of the WFE's response are as follows:
- The Bank of England-Financial Conduct Authority-Prudential Regulation Authority's (BoE-FCA-PRA) proposed approach - service rather than systems-based - relating to continuity of business services does not seem to be far removed from existing current business continuity management (BCM) planning. Organisations already take a service approach through risk assessment, business impact analysis, scenario testing, stress testing, and business continuity testing.
- The maturity of business services mapping (i.e. linking of business services, processes, systems, owners etc.) tends to vary from organisation to organisation.
- The WFE can see some benefit in the possibility of firms being asked to set impact tolerances. It may take time to perform to the level regulators would be comfortable with, and it may be worthwhile for regulators to define a scope and framework to ensure consistency between market infrastructures.
- Communication processes are defined in incident management and crisis management planning.
Nandini Sukumar, CEO, WFE said: "Cyber risk matters have been - and continue to be - a matter of great priority for our membership, and one in which significant time, effort and money have been invested. The WFE welcomes the opportunity to further contribute to the dialogue in order to secure the shared objectives of fair and orderly markets that promote the safety and resilience of the global financial system."
The WFE has published a range of whitepapers and consultation responses in the cyber resilience space, including: a response to the FCA on a cyber lexicon; best practice guidelines for cyber security compliance, and cyber resilience standards.