Global Regulatory Brief: Digital finance, November edition | Insights | Bloomberg Professional Services

UK FPC executive outlines operational resilience and cyber risk regulatory agenda

External member of the Financial Policy Committee (FPC), Elisabeth Stheeman, delivered a speech on the threat of cyber attacks and the broader importance of operational resilience. 

Wider context: Stheeman stressed that the FPC is focused on risks that could lead to systemic operational disruption in addition to more traditional financial risks. 

• She defined operational risk as the type of risk that affects systems and processes, and good operational risk management as being the ability for companies to detect and prevent risks that could lead to operational disruption
• As financial firms have become more digital and interconnected at an operational level, the associated risks have become greater threats to the wider financial system

Cyber in focus: The risk of a cyber-attack is the most cited risk in the latest Systemic Risk Survey for H2 2023, with 80% of firms mentioning it.

• A cyber-attack could impact financial stability indirectly if there is financial contagion through liquidity stress, financial losses, and significant price moves that could disrupt market functioning
• The Bank of England and Prudential Regulation Authority already use a range of tools to assess the cyber resilience of individual firms’ important business services 
• The FPC stresses that clear baseline expectations and regular testing constitute major elements of the regulatory framework to strengthen the cyber resilience of UK financial services 

Operational resilience in focus: Stheeman observed that financial firms are making greater use of third parties; this has the potential to make firms more resilient to operational risks than using only on-site IT infrastructure. 

• UK regulators will soon publish a consultation paper with draft rules and guidance for critical third parties

Wider context: Alongside this work on critical third parties and cyber stress testing, the FPC continues to identify and monitor the channels through which operational risks could affect financial stability such as AI and the use of blockchain.