show image

Banks’ IT teams are facing fresh scrutiny following the TSB outage

The Bank of England has joined forces with the FCA to investigate how financial organisations are preparing their systems for cyber attacks and IT outages.

In a discussion paper published on Thursday, the regulators call on banks, building societies, credit unions and insurers to disclose, by 5 October, details of their ability to respond to outages.

“The financial sector needs an approach to operational risk management that includes preventative measures and the capabilities – in terms of people, processes and organisational culture – to adapt and recover when things go wrong,” according to a joint statement from the regulators.

“As recent high-profile disruptive events have shown, the speed and effectiveness of communications with the people most affected, including customers, is an important part of any firm’s or FMI’s overall response to an operational disruption.”

The discussion paper suggests that banks should put in place measures to ensure they can get their systems up and running again within two days of being hit by an outage.

Earlier this year, TSB customers were left locked out of their online accounts for several days at a time after the lending giant migrated its digital services to a new platform. Fraudsters exploited the incident to steal money from more around 1,300 of the company’s customers.

Financial services firms are not covered by the NIS Directive, a new set of European regulations designed to bolster the security of critical infrastructure. But that doesn’t mean banks are any less likely to be hit by fines for IT outages. The directive grants regulators the power to fine companies up to £17m of annual turnover, while there is no cap on the fines the FCA can issue.

“It’s great to see that the Bank of England and the Financial Conduct Authority are ensuring financial services firms take greater accountability for possible disruption of service,” said Veeam’s UK and Ireland chief Mark Adams. “The problems firms in the sector experienced recently were simply not acceptable from a compliance perspective or from that of customer service.”

“Firms facing this three-month deadline should take comfort in the fact that disaster recovery planning is actually pretty simple,” he added. “The main challenges won’t be much to do with the technology, but from working out which apps and databases they have which need to be planned for, and where their respective data lives.”