In its recently published ‘Prudential Regulation Authority Business Plan 2023/24’, the UK PRA has set out its plans for regulating operational resilience and related areas through the 2023-2024 period.
Key points from the business plan in this area include:
- The FCA’s, the Bank of England’s and the PRA’s operational resilience policies came into force in March 2022. Firms should have now identified important business services and set impact tolerances, and commenced a programme of scenario testing. The PRA has conducted an initial assessment of firms’ implementation of the policy and provided feedback of the results. In 2023, the PRA will work closely with the FCA to assess firms’ progress, with a particular focus on their ability to deliver important business services within impact tolerances through severe but plausible scenarios within a reasonable time frame and by no later than March 2025. Ensuring a more consistent approach in policy implementation will also be a key focus during 2023.
- The PRA will continue to monitor threats to firms’ resilience, including their growing dependency on third parties. The FSM Bill, currently going through Parliament, will give HMT the ability to designate certain third party service providers as ‘critical’ following consultation with the Bank, the PRA and the FCA (supervisory authorities). The Bill will also give the supervisory authorities new powers to oversee the services provided by critical third parties (CTPs) to regulated firms. In 2022 the PRA and the FCA published a joint discussion paper on how these proposed powers could be used to assess and strengthen the resilience of services provided by CTPs to firms and FMIs, thereby reducing the risk of systemic disruption. The PRA will continue to work with HMT to develop the policy and oversight approach in 2023.
- The PRA will continue to monitor and assess firms’ ability to manage cyber threats. The PRA will collaborate with the FCA, including in response to known technology and cyber incidents, and will continue to monitor and engage with firms on their execution of large and complex IT change programmes. The FPC’s recent cyber stress test has broadened the PRA’s understanding of how operational disruptions such as cyber attacks may impact financial stability. Throughout 2023 the PRA will continue to deliver this work through a broad range of industry, sector focussed and international engagement including the Authorities Response Framework, the Cross Market Business Continuity Group, the Cross Market Operational Resilience Group and the G7 Cyber Expert Group. This will focus on strengthening the sector’s resilience capabilities and its ability to respond to an operational disruption.