UK Law and Practice Contributed by: William Long, Francesca Blythe, Eleanor Dodding and Anila Rayani, Sidley Austin LLP
3. Financial Sector Operational Resilience Regulation 3.1 Scope of Financial Sector Operational Resilience Regulation In the UK, operational resilience in the financial sector is primarily addressed by the FCA, the Prudential Regulatory Authority (PRA) and the Bank of England in their rules and guidance on requirements to strengthen operational resilience in the financial services sector – for example, the FCA’s rules on operational resilience under Chapter 15A of its Senior Management Arrange - ments, Systems and Controls Sourcebook and the PRA’s supervisory statement “Operational resilience: Impact tolerances for important business services” (SS1/21) (collectively, the “Operational Resilience Requirements”), which were published on 31 March 2022 and address how firms identify, map, test and enhance their important business services to withstand dis - ruptions. The requirements for UK firms to have performed mapping and testing so that they are able to remain within impact tolerances for each important business service are required to be in place by no later than 31 March 2025. The rules are intended to align closely (albeit not entirely) with international standards and other regimes, such as the EU’s Digital and Operational Resil - ience Act (DORA). In November 2024, the FCA and the PRA pub - lished a joint policy statement, “Operational resilience: Critical third parties to the UK finan - cial sector” (PS16/24) (the “CTP Policy State - ment”). This confirmed that operational resil - ience remains a priority for the regulators and focuses, among other things, on further defining obligations with resgard to critical third parties (CTPs) (see 3.2 ICT Service Provider Contrac- tual Requirements for further detail).
any relevant service. As from 12 January 2022, the ICO (which is the lead regulator for RDSPs) must be notified by an RDSP where there is an incident that has a substantial impact on the provision of any digital services, including online marketplaces, online search engines and cloud computing services. It should be noted that, in comparison with the UK GDPR, notifiable incidents under the NIS Regulations need not always involve personal data – that is, cyberse - curity incidents that do not involve personal data (such as cyber-attacks on industrial control sys - tems) could be notifiable under the NIS Regula - tions, but would not be notifiable under the UK GDPR if they do not involve personal data. Under the NIS Regulations, as with the UK GDPR, OESs and RDSPs must notify their rel - evant competent authority and the ICO respec - tively of an incident “without undue delay” and, in any event, no later than 72 hours after the OES or RDSP (as applicable) becomes aware of the incident. The NIS Regulations require that OESs and RDSPs adopt “appropriate and proportionate” technical and organisational security measures, as well as “appropriate” measures to prevent and minimise the impact of incidents affecting those systems (taking into account the state of the art), so as to ensure the continuity of the essential services that the OES provides. Although serious incidents must be reported under the NIS Regu - lations, the ICO has also explained that software vulnerabilities – ie, weaknesses in a system that can be exploited by an attacker – may also need to be reported, as per the “additional informa - tion” required in the ICO’s NIS reporting form. 2.4 State Responsibilities and Obligations This not applicable in the UK.
326 CHAMBERS.COM
Powered by FlippingBook