In May the PRA’s Lyndon Nelson gave a speech about the development of the Regulator’s response to cyber risk. In his speech he:
- made clear that the PRA’s approach is focused on the testing of firms’ resilience to cyber risk and the use simulation exercises to rehearse responses to cyberattacks
- Noted the high detection rate of inadequate cyber hygiene across the PRA’s testing
- Indicated that the PRA plans to extend its cyber stress testing and simulation exercises beyond the largest firms
- Noted how the composition of attacks has shifted towards the exploitation of third-party/outsourced relationships, which has highlighted the likely future additional exposure where a firm uses a “patchwork” of its own services and outsourced providers.
For firms getting to grips with the PRA and FCA’s policy statements on operational resilience, published in March 2021, these comments may not come as a great surprise. However, as acknowledged by Nelson one of, if not the, most significant challenges posed by operational and cyber resilience is likely to be around outsourced services and technology. He noted the connection between the size and market dominance of an outsourced service provider and its systemic vulnerability.