Operational resilience of the financial sector

Overview

We work to make sure the financial sector in the UK is resilient to any disruptions to its operations. 

The sector includes banks, building societies, insurers and financial market infrastructure providers (FMIs). We carry out this work with the UK's two other financial authorities: HM Treasury and the Financial Conduct Authority (FCA).

Our objectives

1. To keep retail and wholesale markets open and functioning, except if doing so would threaten financial stability. Specifically, we aim to keep payment and settlement systems open to complete the day's business.
2. To ensure an orderly and early return to trading if markets fail to remain open – for example by providing a single point of information, effective channels of communication and an effective and co-ordinated response.
3. To involve relevant infrastructure providers and market participants when we make decisions affecting markets. 
4. To facilitate market initiatives that help build operational resilience.

If you work for a firm or an FMI and need more information, please contact your supervisory team.

Prudential and Resolution Policy Index related links

• Banking - Operational resilience
• Insurance - Operational resilience

Operational resilience

Operational resilience is important for maintaining financial stability in the UK. 

By 'operational resilience', we mean the ability of firms and the financial sector as a whole to absorb and adapt to shocks and disruptions, rather than contribute to them. 

It extends beyond business continuity and disaster recovery. Financial firms and FMIs must have robust plans in place to deliver essential services, no matter the disruption. This includes man-made threats such as physical and cyberattacks, IT system outages and third-party supplier failure. It also includes natural hazards such as fire, flood, severe weather and pandemic.

As a central bank and regulator of financial firms and FMIs, we have an important part to play in improving the resilience of the sector.

How we set policy

Our Financial Policy Committee (FPC) looks at the resilience of the system as a whole. The committee sets out its priorities twice a year in its Financial Stability Report. The committee's macroprudential approach to operational resilience is set out in the Financial Stability in Focus.

Our Prudential Regulation Committee (PRC) and Financial Market Infrastructure Board (FMIB) focus on the operational resilience of the firms and FMIs we regulate.

Our approach

To support operational resilience we:

• supervise firms and FMIs 
• engage with the sector and international authorities to drive collective action

We have set out our approach to operational resilience for firms in our policy statements. This work is carried out by the Bank of England and by our Prudential Regulation Authority (PRA).

In summary, we ask firms to:

• identify important business services – boards and senior management must identify and prioritise services that, if disrupted, would impact our objectives and the public interest;
• set impact tolerances – firms must say to what extent they would be able to continue important business services after severe but plausible disruptions; and
• ensure they can remain within impact tolerances – firms must map their important business services and test their capacity to continue them to the agreed extent; where firms identify vulnerabilities that might stop them from remaining within impact tolerances, these should be addressed.

We have set out our policy on operational resilience of FMIs.

Collective action

The Cross Market Operational Resilience Group (CMORG) leads sector-wide collective action on operational resilience. 

The group is made up of about 25 members, firms across retail, wholesale, FMIs, insurance, the financial authorities and the National Cyber Security Centre. Its co-chairs are senior executives of the PRA and UK Finance. 

CMORG has three core objectives:

1. Identify risks to the resilience of the financial sector.
2. Develop solutions to improve the operational resilience of the sector.
3. Share knowledge.

Specialist subgroups support CMORG. They design, manage and deliver operational resilience improvements for the sector. The work of these groups is voluntary. Their chairs meet regularly to discuss CMORG's activities and identify areas for more collaboration.

A Project Management Office (PMO) also supports CMORG. It is jointly resourced by us and UK Finance. It is has developed a website to improve awareness of CMORG activity.

CMORG-endorsed capabilities (including good practice guidance, response frameworks and contingency tools) have been developed collectively by industry to support the operational resilience of the UK's financial sector. The financial authorities support the development of these capabilities and collective efforts to improve sector resilience. However, their use is optional and they do not constitute regulatory rules or supervisory expectations. As such, they may not necessarily represent formal endorsement by the authorities.

The Financial Services Cyber Collaboration Centre (FSCCC) is a CMORG-led partnership. It aims to help identify, investigate and co-ordinate the response to incidents that may have consequences for the financial sector. It analyses and distributes information to produce timely outputs for the sector's benefit.

What happens if there is a disruption in the financial sector?

Individual firms should contact their usual business or supervisory contacts at the Bank or the FCA.

The sector's response is facilitated by the Sector Response Framework (SRF). It sets out how organisations across the sector and government are connected. It also explains how they may respond to incidents individually and together when the impact becomes broader than a single firm or FMI and requires co-ordination, information-sharing or collective action.

Its purpose is to: 

• allow firms, FMIs and the sector to make collective, timely, informed decisions in response to incidents
• provide a reference to good practice, contingency tools and plans, which may be invoked as part of a sector response
• include decision makers and subject matter experts
• be organised on a modular basis, so that components of the SRF can respond
• be recognised by the financial authorities as the principle structure by which the sector will respond to incidents
• support collaborative engagement between the sector and the UK's financial authorities (see below)
• be able to engage with frameworks in other jurisdictions, if required

The UK's three financial authorities are the Bank (including the PRA), the FCA and the Treasury. 

If disruptions have the potential to impact the whole sector, these authorities act together. The Authorities Response Framework co-ordinates their response. 

Cyber resilience

To maintain the cyber resilience of the financial sector and to support our supervisory oversight, we have developed cyber assessment tools.

They include CBEST, STAR-FS and CQUEST.

CBEST

CBEST provides a framework for regulators to work with firms using a simulated cyberattack. This allows firms to explore how to disrupt an attack on the people, processes and technology of cyber security controls. 

The aim of CBEST is to:

• test a firm's defences
• assess its threat intelligence capability
• assess its ability to detect and respond to a range of external attackers as well as people on the inside 

Firms use the assessment to plan how they can strengthen their resilience.

We base the simulated attacks used on present cyber threats. These include the approach a threat actor may take to attack a firm and how they might exploit a its online information.

An accredited service provider carries out the simulation. It acts within legal, ethical and moral constraints. It aims to get through a firm's defences using the cyber kill chain. They also assess if the confidentiality, integrity or availability of systems and processes that deliver a firm's important business services can be compromised.

STAR-FS

The Bank, the PRA and the FCA are pleased to announce the launch of a threat-led penetration test assessment for the UK Finance Sector. STAR-FS (Simulated Targeted Attack and Response assessments for Financial Services) is part of the PRA and FCA supervisory toolkit, which also includes CBEST, to assess the cyber resilience of firms' important business services. This assessment enables regulators and firms to better understand vulnerabilities and take remedial actions, thereby improving their resilience and, by extension, the wider financial system. 

It promotes a threat-led penetration testing approach that mimics the actions of cyber threat actors' intent on compromising an organisation's important business services as well as the technology assets and people supporting them.

STAR-FS aims to provide:

• an outcome-based assessment of financial institutions' protection, detection and response technical capabilities against cyber-attacks;
• an approach, conducted through a firm-led delivery model, that can identify cyber resilience vulnerabilities within systems, people and processes;
• reduced regulatory and firm effort relative to other supervisory technical assessments such as CBEST;
• levels of independent technical assurance beyond those ordinarily included in firms' own penetration testing programmes; and
• a testing approach accessible by a larger number of financial institutions to experience and learn from.

Here is a short list of STAR-FS unique features:

• accredited threat intelligence and penetration test service providers replicate real-world attacks on operational systems;
• allows for consistent formal reports for firms to provide appropriate information to regulators of the level of technical cyber resilience;
• can be self-initiated by firms as part of their own cyber programmes, as well as by regulators as part of supervisory oversight, to inform assessments of protection, detection, and response capabilities and uncover vulnerabilities through testing; and
• self-initiated assessments could be recognised as a supervisory assessment if regulators are notified of the STAR-FS, accept the opportunity to input to the scope, and then receive the relevant requested outputs at the end of the assessment.

An implementation guide and supporting templates are available. If your firm is interested in conducting a STAR-FS assessment please contact your supervisor.

CQUEST

Operational disruption to important business services could impact financial stability, threaten the safety and soundness of individual firms and FMIs, and cause harm to consumers and other market participants in the financial system. In this context, firms and FMIs should assess their cyber risk and build adequate resilience capabilities to prepare for, and respond to, cyber events and incidents that could cause operational disruption.

CQUEST forms part of the Bank and PRA/FCA's supervisory toolkit to gauge the cyber risk and resilience capabilities of the sector. CQUEST can also be used by other firm(s) as a self-assessment tool to consider their own cyber risk and resilience maturity. The CQUEST questionnaire (below) comprises 50 questions with multiple-choice answers across six domains: Governance and Leadership, Identify, Protect, Detect, Respond and Recover.

To achieve a reliable outcome, an organisation should identify and direct a competent party with appropriate knowledge and experience of the business and cyber capabilities in the firm(s) to complete the CQUEST questionnaire. 

When CQUEST is used to inform regulatory activities, supervisors might provide additional guidance and/or they could request evidence or clarifying information in response to a firm or FMI's answers.

CQUEST latest version

The latest version of CQUEST builds upon the previous questionnaire, and encompasses lessons learned from good practice frameworks and feedback from supervisors and firms. The PRA and FCA continue to review the performance of its supervisory tools to achieve its statutory objectives and for the sector's benefit.

Specific instructions on how to complete the questionnaire is provided in the CQUEST cover sheet.

More information

• STAR-FS Implementation guide – Threat Intelligence Led Penetration Testing for Financial Services (pdf)
• STAR-FS Scope Specification (pdf)
• STAR-FS Targeting Report Specification (pdf)
• STAR-FS Threat Intelligence Report Specification (pdf)
• STAR-FS Penetration Test Report Specification (pdf)
• STAR-FS Remediation Plan Template (pdf)
• STAR-FS Regulator Summary (pdf)
• STAR-FS Threat Intelligence Maturity Assessment Guide (pdf)
• STAR-FS Detection & Response Assessment Guide (pdf)
• CBEST implementation guide 
• CQUEST
• Recent speeches on operational resilience
• 2021 CBEST thematic findings
• 2022 CBEST thematic findings
• 2023 CBEST thematic findings
• 2024 CBEST thematic findings
•