Operational Resilience

Appropriate governance, alongside training, incident response management, reporting and remediation structures, is fundamental to ensuring the operational resilience of critical technology systems.

Boards and senior management should have a strong understanding of the state of their operational systems and technology and commit to continuously enhancing this to align with the changing risk landscape. Where improvement or remediation is required, boards and senior management should ensure there is sufficient capability and resourcing available. 

We recommend you understand the maturity of your technological systems and regularly review them to identify potential weaknesses. This can include reviewing whether technology systems and their controls are operating effectively and as intended, through adequate testing and quality assurance. 

You should frequently review your outsource providers to assess their criticality. This can involve identifying key services and assets which, if compromised, would cause significant risk or disruption to your business and its activities, or impact on your customers.  Once critical assets and services have been identified, any associated risks can also be assessed. Processes and controls to mitigate the risk of an incident, such as contingency plans, can then be built around the criticality of each asset/service.  

We recommend you also consider if the information held or processed by outsource providers is confidential or sensitive.  

Cyber risks encompass any potential risk of loss, disruption, or damage an entity may experience due to a failure in its information technology systems. Cyber resilience is an important part of wider operational resilience.  

We suggest you take steps to understand and regularly review your cyber resilience, in order to identify vulnerabilities specific to your business. Cyber security controls, processes and policies should be reviewed, tested, and updated frequently, especially in light of any changes in your licensed market service, or trends in the threat landscape. Similarly, you should monitor for any alerts that may critically impact your outsource providers. As with the self-assessment exercise in the FMA’s 2019 thematic, you can use a recognized cybersecurity framework to evaluate your cyber resilience (for example the NIST cybersecurity framework).  

To ensure you can resume operations without undue delay following a disruption, you should establish and maintain a robust business continuity plan (BCP) with well-defined roles, responsibilities, and accountabilities. This is a requirement under the standard conditions of most market services licensees.  

Your BCP should include documented procedures that are tailored to the size and/or complexity of the service and/or product you provide, and can guide how you respond, recover, resume, and restore operations to a predefined level following a disruption. Your BCP should be reviewed, tested and updated on a regular basis to align with emerging risks or changes in the threat landscape – and at least annually.

When responding to an incident, you should immediately enact your business continuity and incident management plans.  This will ensure clear roles and accountabilities are in place to support your response and recovery from the incident, and your operations can resume without undue delay. These plans should help manage communication with customers and other stakeholders during the incidents, as well as support you to carry out remediation activity for impacted customers.

For material operational incidents, you should also consider your reporting obligations to the FMA. 

Once an incident has been resolved, we recommend you conduct a thorough inquiry to understand the root cause and capture it through a post incident report (PIR). A recovery timeline and the progress of the remediation, including any customer remediation, may also be included in the PIR.  

Entities may consider engaging a third party to conduct an independent review to ascertain the cause of the incident, especially where technology and cyber capability is not available within the entity.