International Organization of Securities Commissions’ (IOSCO) consultation: Embedding resilience by design into the financial system
Earlier this year, the International Organization of Securities Commissions (IOSCO) – an international body that brings together the world's securities regulators and is recognized as the global standard setter for the securities sector – put out a request for feedback on the lessons learned regarding the operational resilience of trading venues and market intermediaries during the COVID-19 pandemic.
Following the consultation deadline last week, we take a look at the key items on the agenda and share the key points of our own response to the report.
In its consultation report, IOSCO concludes that the pandemic has increased cyber security risks, accelerated the use of existing, new and emerging technologies and exposed potential risks and vulnerabilities for businesses with outsourced or third-party operations.
It also identifies several lessons learned from the pandemic that, it states, should inform regulated entities’ future operational resilience arrangements, including:
- When evaluating their approaches to operational resilience, it is important for regulated entities to consider their full business process and all dependencies to adequately address risks and controls
- Regulated entities should review, update and test business continuity plans to ensure they reflect lessons learned from the pandemic
- Where solutions have been adopted with little testing or limited due diligence, regulated entities should back-test so as to confirm that the adopted systems are appropriate going forward
- Decentralized and remote work may increase the importance of monitoring processes to help ensure information security and prevent cyber-attacks
- Operational resilience means more than just technological solutions; it also depends on the regulated entity’s processes, premises and personnel
- It is important that regulated entities have an effective governance framework
Our recommendations – embedding resilience by design
The adoption of cloud, software and technology escrow solutions, using ‘Resilience by Design’ principles, can help organizations to meet the financial system’s increasing demand for risk management, business continuity and ongoing operational resilience. By focusing on resilience from the start, organizations will be well placed to meet evolving rules and regulation.
IOSCO’s existing guidance highlights the need for regulated entities to understand and map their third-party dependencies and associated risks. However, in our response to its consultation, we emphasized the difficulties in exhaustively identifying third-party supplier risk. A supplier’s overall risk profile is generally the result of a combination of a multitude of factors. Identifying all possible scenarios is likely disproportionate to its potential benefits, and risks increasing costs, creating barriers to innovation, and subsequently reducing access to financial services.
For that reason, no less, we do believe that cloud, software and technology escrow solutions offer legal, technical and proportional assurance to trading venues and market intermediaries, particularly where they embrace the concept of ‘Resilience by Design’. This would assume supplier failure by default, regardless of their risk profile, and encourage or mandate using cloud, software and technology escrow agreements, as a proportionate and cost-effective solution for regulated entities to mitigate against supplier failure. Indeed, we have seen other regulators – such as the UK’s PRA and CISA in the US – encouraging organisations to utilize escrow solutions to strengthen resilience.
Wayne Scott, Regulatory Compliance Solutions Lead, NCC Group Software Resilience comments:
“We wholeheartedly agree with IOSCO’s assessment that the evolving risks facing financial services requires sound risk management and improved business continuity.
In particular, we note and welcome the recommendation that contingency plans for those times when third-party services may be compromised or not provided for a prolonged period of time, should be reviewed as a priority.
IOSCO’s guidance could be further strengthened and future-proofed by adopting more explicitly a ‘Resilience by Design’ approach, providing trading venues and market intermediaries with additional guidance on the practical steps they can take to implement the required sound risk management of third-party technologies and services.”