UK Law and Practice Contributed by: Ben Morgan, Ali Sallaway, Matthew Bruce and Emily Knight, Freshfields
Given the importance of the financial services sector, it is no surprise that UK Finance was the first body to publish sector-specific guidance on the FTPF offence. In addition to UK Finance’s guidance on FTPF, further sector-specific guid- ance is anticipated in forthcoming years. 2.3 Government Role COBR co-ordinates government departments in response to matters of major disruption or national emergency. The composition of the committee will depend on the nature of the emergency in question. In 2022, the UK govern- ment introduced a Resilience Framework (the Framework) in the wake of the pandemic. The Framework is led by the Resilience Directorate in the Cabinet Office and aims to build structures across government that can: • create a shared understanding of the risks; • develop contingency plans; and • run exercises to ensure central government departments are prepared for possible crisis situations. The Framework confirms an intention to draw upon expertise and data within the private sec- tor in return for providing better guidance and information on resilience and risks. This may lead to legal reforms to provide for greater data and information sharing between the private and public sector to improve responses to crisis situ- ations. 2.4 Independent Oversight The entities responsible for oversight of crisis management primarily exist within the public sector, but trade and industry bodies have made recommendations on how particular sectors can improve their crisis management plans in the form of guidance. For example, the International Organization for Standardization has published
Security and resilience – Crisis management – Guidelines (ISO 22361:2022) and UK Finance has published guidance on incident response plans, called “Incident Management – Cyber Incident Response – Is Your Firm Ready?” . 2.5 Transparency Requirements Businesses are under increasing scrutiny from stakeholders to report on risks to business con- tinuity and the steps that are being taken to address potential threats. As noted in 1.1 Market Comparison , the Financial Report Council’s UK Corporate Governance Code requires business - es to report on the effectiveness of controls to address material risks, and now requires boards to make a declaration in relation to the effective- ness of their material internal controls. A new Principle has also been included to encourage companies to report on outcomes and activities in these areas. Organisations that are subject to direct regu- latory oversight, typically by a specific agency (such as the regulated communications, finan- cial services and energy sectors), are subject to strict reporting requirements in different types of emergencies. For example, in the financial services sector, under Principle 11 of the FCA’s Principles for Businesses, firms are required to co-operate with and report on any material operational incidents to the FCA. There are also wide-ranging notification requirements in relation to data breaches that can occur during a crisis, which apply across the private sector. Organisa- tions may also need to notify individuals affected by an incident to limit potential further damage and/or offer remediation, and listed companies affected by a crisis will always have to consider their disclosure obligations if the issue has the potential to affect investors.
134 CHAMBERS.COM
Powered by FlippingBook