New Operational Resilience Regulations Loom amid Financial Sector’s Ongoing Outage Problem

by Ali Moinuddin
  • Serious outages have plagued Financial sector institutions over the last few years.
  • FSIs are now entering a new regulatory landscape that demands preparation and change.
outage
Bloomberg
Join our Telegram channel

The financial sector is a cornerstone of the global digital economy. Every day, countless commercial and retail customers around the world depend on reliable access to critical services from financial sector institutions (FSIs). Any interruptions can bring business, and life as we know it, to a screeching halt and inflict severe wide-ranging consequences worldwide. The financial sector has always shown an understanding of this reality and is well-known for investing more in digital operational resiliency than virtually any other industry.

And yet, financial services failures remain a massive problem today, some examples here, here, and here, and are dramatically more costly, harmful and common than those in other sectors. Recent Uptime Institute research drives the point home, revealing that nearly 80% of FSIs have reported experiencing an outage in the past three years. Roughly one in three financial firms encountered a downtime incident they deemed serious or severe during that same period.

Further, FSIs suffered 31% of all significant, publicly reported outages between 2019 and 2021, a substantially larger share than any other industry. Financial sector outages can cost millions per hour and lead to prolonged legal issues, regulatory sanctions and irreparable reputational damage, not to mention the untold repercussions end customers shoulder downstream.

Third-Party Service Providers and Systemic Risk

The financial sector’s outage problem stems from the fact that most FSIs have become highly reliant on increasingly hybrid ICT (information and communications technology) infrastructure. These systems span enterprise-owned data centers, colocation (colo) sites, cloud environments, SaaS solutions and ICT service providers. Highly distributed, multi-party IT operations have become the norm throughout the industry, compounding the level of complexity and risk involved.

ICT-related third-party service providers (TSPs) introduce some of the most pressing and systemic risks for a financial firm’s operational resiliency. In fact, research shows that almost 40% of businesses have suffered an outage due to external service provider issues.

As banks and financial institutions continue to distribute their infrastructure across more third parties, they pile on added complexity and increase the risk of potential failures among essential ICT services that support critical business services. Historically speaking, TSPs can be difficult to audit, assess or assign with legal culpability for these types of IT outages and the risks that produce them, but this is beginning to change.

Heightened Operational Resilience Requirements

Government concerns over the risks and resilience of ICT systems in critical sectors have been on the rise for some time. The European Union (EU) has become a legislative pioneer in this respect, enacting historic regulations such as GDPR (the General Data Protection Regulation) for data privacy, the Directive on Security of Network and Information Systems (NIS) for security, and more. Most FSIs will be familiar with the European Banking Authority’s (EBA) Guidelines on Outsourcing Arrangements, which have led financial sector competent authorities (CAs), including the European Central Bank and all EU domestic regulators, to require entities within their jurisdiction to maintain robust infrastructure management practices and conduct regular risk assessments across their entire ICT estate, including ICT-related TSPs.

We’ve seen global disasters add fuel to the fire over the last few years as well. The pandemic-induced surge in dependence on digital services made the importance of improving operational resilience abundantly clear. Every new high-profile cloud or financial sector outage further underscores the point, as have downtime incidents caused by the surge in historic weather events such as wildfires, floods and extreme temperature fluctuations. Regulators haven’t just taken note of the issue; they’ve taken action. There have been numerous proposals for stricter legislation around digital risk and resiliency (the EU's Directive on the Resilience of Critical Entities (CER), the Gramm-Leach-Bliley Act in the US, etc.).

Although many new regulations impact digital infrastructure resiliency, there are contradictions and redundancies among them, and none offered adequate supervisory authority over external ICT providers until the EU’s landmark Digital Operational Resilience Act (DORA). Expected to pass within the next year, DORA is the frontrunner in an expanding global push for improved financial sector operational resiliency and can give the financial sector a view of its regulatory future.

DORA – Understanding the Impact

DORA offers a complete framework with consistent rules for the EU to improve digital operational resilience across all regulated financial institutions. Importantly, the legislation places TSPs squarely within the jurisdiction of European Supervisory Authorities (ESAs) for the first time and blocks FSIs from outsourcing risk to external ICT partners of any kind.

DORA will establish an oversight framework for critical ICT third-party providers (CTPPs), a category including any organization whose services, if interrupted by a “large-scale operational failure,” would destabilize or compromise the financial sector. ESA overseers will conduct annual resiliency inspections to identify any risks present in critical software, operational documentation and processes, staff training programs, security, physical infrastructure, etc. that could disrupt the global financial network.

CTPPs must address any risks identified through this process. In cases involving severe risks to the financial sector at large, ESAs can pause or cancel a CTPP’s client contracts. DORA will also establish stringent reporting requirements for FSIs that encounter major outages due to a CTPP, forcing many in the financial sector to develop new processes that enable in-depth monitoring and rapid coordination with regulators in such cases.

The EU launched DORA trilogue negotiations in early 2022, which should conclude within 18 months. Once the legislation passes, FSIs and their third-party digital services partners have one year to comply. Companies that fail to meet the deadline will face steep financial penalties. For example, if you hit $20B in annual sales last year, noncompliance could mean over half a million dollars in fines each day, or a $100M bill over six months.

Although DORA is EU legislation, it directly impacts any financial sector participants doing business in the EU, regardless of where they’re headquartered. And, it won’t be long before those without EU ties feel its effects as well. We know governing bodies worldwide look to novel regulations for guidance to draft their own equivalents or simply enforce compliance in their own countries (think GDPR and other landmark laws). In fact, this is already happening.

A North American Perspective

Similar regulatory efforts to improve operational resilience have emerged in North America as well. Last year, the Federal Reserve System (Board), the Federal Deposit Insurance Corporation (FDIC) and the Office of the Comptroller of the Currency (OCC) published Proposed Interagency Guidance on Third-Party Relationships: Risk Management , which offers a framework to help financial organizations of varying size and complexity to establish effective risk management practices for mitigating consumer harm, information security incidents and other operational risks.

The Federal Reserve closed the market consultation window in 2021 and appears likely to set its final requirements in the coming months. It’s clear from the 86 FR 38182 document text that its position will follow DORA and EBA’s lead, requiring regulated financial entities to develop an end-to-end approach to identifying and mitigating outage risks in ICT infrastructure and build sound risk management programs that directly address the use of third parties who may present elevated risks to banking organizations and their customers.

We’ve seen a similar push from the Office of the Superintendent of Financial Institutions (OSFI) of Canada, which published its Draft Guideline B-10 Third-Party Risk Management in April of 2022. This proposed guidance seeks to address the many risks third-party arrangements present for the operational and financial resilience of FRFIs (federally regulated financial institutions). As such, the OSFI will enforce effective risk management practices among FRFIs, who will be held accountable for service disruptions regardless of whether they originate in-house or through external service providers.

This outcome-based framework focuses on five key areas. FRFIs must demonstrate the governance and accountability of comprehensive risk management strategies, that risks posed by third parties are identified and assessed, that identified risks are mitigated based on the FRFI’s risk appetite, that third-party performance is continually monitored, and that the FRFIs’ risk management programs are dynamic enough to actively capture and manage a range of third-party relationships and interactions.

Are You Prepared?

FSIs are entering an entirely new regulatory landscape, one that demands significant preparation and change, today. You must be ready to expand digital infrastructure risk evaluations for cloud, colo and SaaS partners beyond the vendor selection process and implement routine, thorough risk inspections across each service provider and their respective facilities, as well as your own. These periodic audits will help measure and minimize outage risks across your entire global IT estate, but there’s more involved than the assessments themselves. You’ll need to document the process from end to end to provide evidence that the digital infrastructure upon which your critical services depend is designed, built and operated according to new resiliency criteria.

All of this amounts to a colossal undertaking that will put financial sector ICT and data center teams to the test. Fortunately, there’s still time, and it’s entirely manageable if you acknowledge the need for new processes and expertise to supplement existing resources and start assembling them now.

Ali Moinuddin is the Chief Corporate Development Officer and Managing Director of Europe at Uptime Institute

The financial sector is a cornerstone of the global digital economy. Every day, countless commercial and retail customers around the world depend on reliable access to critical services from financial sector institutions (FSIs). Any interruptions can bring business, and life as we know it, to a screeching halt and inflict severe wide-ranging consequences worldwide. The financial sector has always shown an understanding of this reality and is well-known for investing more in digital operational resiliency than virtually any other industry.

And yet, financial services failures remain a massive problem today, some examples here, here, and here, and are dramatically more costly, harmful and common than those in other sectors. Recent Uptime Institute research drives the point home, revealing that nearly 80% of FSIs have reported experiencing an outage in the past three years. Roughly one in three financial firms encountered a downtime incident they deemed serious or severe during that same period.

Further, FSIs suffered 31% of all significant, publicly reported outages between 2019 and 2021, a substantially larger share than any other industry. Financial sector outages can cost millions per hour and lead to prolonged legal issues, regulatory sanctions and irreparable reputational damage, not to mention the untold repercussions end customers shoulder downstream.

Third-Party Service Providers and Systemic Risk

The financial sector’s outage problem stems from the fact that most FSIs have become highly reliant on increasingly hybrid ICT (information and communications technology) infrastructure. These systems span enterprise-owned data centers, colocation (colo) sites, cloud environments, SaaS solutions and ICT service providers. Highly distributed, multi-party IT operations have become the norm throughout the industry, compounding the level of complexity and risk involved.

ICT-related third-party service providers (TSPs) introduce some of the most pressing and systemic risks for a financial firm’s operational resiliency. In fact, research shows that almost 40% of businesses have suffered an outage due to external service provider issues.

As banks and financial institutions continue to distribute their infrastructure across more third parties, they pile on added complexity and increase the risk of potential failures among essential ICT services that support critical business services. Historically speaking, TSPs can be difficult to audit, assess or assign with legal culpability for these types of IT outages and the risks that produce them, but this is beginning to change.

Heightened Operational Resilience Requirements

Government concerns over the risks and resilience of ICT systems in critical sectors have been on the rise for some time. The European Union (EU) has become a legislative pioneer in this respect, enacting historic regulations such as GDPR (the General Data Protection Regulation) for data privacy, the Directive on Security of Network and Information Systems (NIS) for security, and more. Most FSIs will be familiar with the European Banking Authority’s (EBA) Guidelines on Outsourcing Arrangements, which have led financial sector competent authorities (CAs), including the European Central Bank and all EU domestic regulators, to require entities within their jurisdiction to maintain robust infrastructure management practices and conduct regular risk assessments across their entire ICT estate, including ICT-related TSPs.

We’ve seen global disasters add fuel to the fire over the last few years as well. The pandemic-induced surge in dependence on digital services made the importance of improving operational resilience abundantly clear. Every new high-profile cloud or financial sector outage further underscores the point, as have downtime incidents caused by the surge in historic weather events such as wildfires, floods and extreme temperature fluctuations. Regulators haven’t just taken note of the issue; they’ve taken action. There have been numerous proposals for stricter legislation around digital risk and resiliency (the EU's Directive on the Resilience of Critical Entities (CER), the Gramm-Leach-Bliley Act in the US, etc.).

Although many new regulations impact digital infrastructure resiliency, there are contradictions and redundancies among them, and none offered adequate supervisory authority over external ICT providers until the EU’s landmark Digital Operational Resilience Act (DORA). Expected to pass within the next year, DORA is the frontrunner in an expanding global push for improved financial sector operational resiliency and can give the financial sector a view of its regulatory future.

DORA – Understanding the Impact

DORA offers a complete framework with consistent rules for the EU to improve digital operational resilience across all regulated financial institutions. Importantly, the legislation places TSPs squarely within the jurisdiction of European Supervisory Authorities (ESAs) for the first time and blocks FSIs from outsourcing risk to external ICT partners of any kind.

DORA will establish an oversight framework for critical ICT third-party providers (CTPPs), a category including any organization whose services, if interrupted by a “large-scale operational failure,” would destabilize or compromise the financial sector. ESA overseers will conduct annual resiliency inspections to identify any risks present in critical software, operational documentation and processes, staff training programs, security, physical infrastructure, etc. that could disrupt the global financial network.

CTPPs must address any risks identified through this process. In cases involving severe risks to the financial sector at large, ESAs can pause or cancel a CTPP’s client contracts. DORA will also establish stringent reporting requirements for FSIs that encounter major outages due to a CTPP, forcing many in the financial sector to develop new processes that enable in-depth monitoring and rapid coordination with regulators in such cases.

The EU launched DORA trilogue negotiations in early 2022, which should conclude within 18 months. Once the legislation passes, FSIs and their third-party digital services partners have one year to comply. Companies that fail to meet the deadline will face steep financial penalties. For example, if you hit $20B in annual sales last year, noncompliance could mean over half a million dollars in fines each day, or a $100M bill over six months.

Although DORA is EU legislation, it directly impacts any financial sector participants doing business in the EU, regardless of where they’re headquartered. And, it won’t be long before those without EU ties feel its effects as well. We know governing bodies worldwide look to novel regulations for guidance to draft their own equivalents or simply enforce compliance in their own countries (think GDPR and other landmark laws). In fact, this is already happening.

A North American Perspective

Similar regulatory efforts to improve operational resilience have emerged in North America as well. Last year, the Federal Reserve System (Board), the Federal Deposit Insurance Corporation (FDIC) and the Office of the Comptroller of the Currency (OCC) published Proposed Interagency Guidance on Third-Party Relationships: Risk Management , which offers a framework to help financial organizations of varying size and complexity to establish effective risk management practices for mitigating consumer harm, information security incidents and other operational risks.

The Federal Reserve closed the market consultation window in 2021 and appears likely to set its final requirements in the coming months. It’s clear from the 86 FR 38182 document text that its position will follow DORA and EBA’s lead, requiring regulated financial entities to develop an end-to-end approach to identifying and mitigating outage risks in ICT infrastructure and build sound risk management programs that directly address the use of third parties who may present elevated risks to banking organizations and their customers.

We’ve seen a similar push from the Office of the Superintendent of Financial Institutions (OSFI) of Canada, which published its Draft Guideline B-10 Third-Party Risk Management in April of 2022. This proposed guidance seeks to address the many risks third-party arrangements present for the operational and financial resilience of FRFIs (federally regulated financial institutions). As such, the OSFI will enforce effective risk management practices among FRFIs, who will be held accountable for service disruptions regardless of whether they originate in-house or through external service providers.

This outcome-based framework focuses on five key areas. FRFIs must demonstrate the governance and accountability of comprehensive risk management strategies, that risks posed by third parties are identified and assessed, that identified risks are mitigated based on the FRFI’s risk appetite, that third-party performance is continually monitored, and that the FRFIs’ risk management programs are dynamic enough to actively capture and manage a range of third-party relationships and interactions.

Are You Prepared?

FSIs are entering an entirely new regulatory landscape, one that demands significant preparation and change, today. You must be ready to expand digital infrastructure risk evaluations for cloud, colo and SaaS partners beyond the vendor selection process and implement routine, thorough risk inspections across each service provider and their respective facilities, as well as your own. These periodic audits will help measure and minimize outage risks across your entire global IT estate, but there’s more involved than the assessments themselves. You’ll need to document the process from end to end to provide evidence that the digital infrastructure upon which your critical services depend is designed, built and operated according to new resiliency criteria.

All of this amounts to a colossal undertaking that will put financial sector ICT and data center teams to the test. Fortunately, there’s still time, and it’s entirely manageable if you acknowledge the need for new processes and expertise to supplement existing resources and start assembling them now.

Ali Moinuddin is the Chief Corporate Development Officer and Managing Director of Europe at Uptime Institute

!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|} !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}