On 8 March 2022, the Financial Conduct Authority (FCA) published a guidance note on points that firms should consider for maintaining appropriate operational and cyber resilience in light of the Ukraine conflict.
On 3 March 2022, the FCA had published a statement acknowledging the significant impact on financial markets, and reminded issuers of securities admitted to UK trading venues of their disclosure obligations under the UK Market Abuse Regulation (MAR).
In the guidance note, the FCA recommends regulated firms be cyber-vigilant and follow the National Cyber Security Centre’s guidance on improving security.
The FCA also recommends firms assess their own ability, and the ability of their third-party providers, to withstand a cyberattack and be well prepared for any unexpected real threat. This may include, for example, raising staff awareness and adequate staffing levels.
The FCA emphasises that firms should take appropriate steps to manage their operational risk, including:
- Important business services: consider the implications of UK/US/EU sanctions and how they may impact the firm and its third-party providers, including the ability of the firm to continue to deliver their important business services.
- Business continuity and incident management: ensure business continuity and incident management arrangements are up to date, ensuring firms may continue to function and meet their regulatory obligations in the event of unforeseen disruption.
- Report incidents: be ready to report material operational incidents to the FCA in a timely manner. During this period, the FCA and other UK authorities should be notified quickly of developing cyberincidents or outages, so they can provide specialist guidance and work with firms to minimise harm to consumers, markets and the wider UK financial sector.
- False information: be alert to the risk of false information being shared about the operations, such as information shared on social media. If false information is circulated about a firm, the firm should have a prompt and clear response to prevent that information being acted on.
The FCA’s new rules on building operational resilience (published in FCA Policy Statement 21/3) come into effect on 31 March 2022 and are designed to ensure business interruption due to any unforeseen event is minimised.
Firms should be mindful of the latest developments in ensuring compliance with these new rules.