Skip to content

Search the site

Bank of England warns on expanded operational resilience regime – cloud providers put on notice

New demands of "critical third-parties" will "require some adjustments all round" says senior BoE official.

The Bank of England highlighted that a new operational resilience regime will “bring some other parties within the scope of our oversight powers for the first time” as it prepares to wrap up a consultation on the operational resilience of “critical third parties” – likely to include cloud providers.

This will, a senior BoE official said tactfully this month, “require some adjustments all round as we all implement the new regime…”

The central bank’s set of proposals for “CTPs” is open for consultation via a joint consultation paper by the Bank of England, Prudential Regulation Authority and the Financial Conduct Authority. It closes on March 15. 

In an under-reported speech on March 5, the bank’s Director of Prudential Policy, Gareth Truran said its proposals “have been informed by lessons we have learnt from previous disruption at third party service providers impacting multiple firms. Most third parties have processes to update and support their customers during an incident. But these processes rarely take into account the potential collective or systemic impact that such disruption might have on the financial sector due to interconnectedness.”

He added: “Third parties do not feature in the various frameworks set up to provide a coordinated response to incidents which might have a potential adverse impact on financial stability (even though they could be the source of the incident or provide a channel to amplify its impact)...”

(Regulators expect such CTPs, likely to include the hyperscalers, to more “proactively engage with existing frameworks set up to coordinate the response to incidents; for example the ‘Cross-Market Operational Resilience Group’s Sector Response Framework, and the Financial Sector Cyber Collaboration Centre.’ the ongoing consultation shows.)

Both incident management and reporting are a key focus and CTPs will need to bring an additional layer of financial sector-wide collaboration to their incident management practices…” Truran said in his March 5 speech.

The consultation shows that no companies have been named CTPs yet. Regulators propose to identify them by assessing third parties against:

  • The materiality of the services which the third party provides
  • The concentration of the services which the third party provides
  • Other drivers of potential systemic impact.

The proposed requirements cover governance, risk management, technology and cyber resilience – including incident management. 

As the consultation suggests, regulators are after significantly greater transparency from major CTPs on incident response and reporting around the "regular testing" of their technology and cyber risk management and operational resilience measures; not least including sharing "processes and measures that reflect lessons learned from testing; and processes and procedures that convey relevant and timely information to assist risk management and decision-making processes."

The central bank and fellow financial markets regulators aim to issue their final requirements and expectations for CTPs in H2.

See also: Bank of England's tech overhaul: 'Open Sesame' or more friction?