In the wake of the recent TSB outage, the Bank of England is planning to set a "minimum level of service" provision for banks hit by tech meltdowns or cyberattacks.
Citing the TSB outage and the 2012 RBS fiasco, Lyndon Nelson, deputy chief executive of the BOE’s Prudential Regulation Authority told a conference that a growing reliance on technology means that there has been an "increase in the number of operational incidents - be they caused by internal failures or from external attack".
To tackle this risk, the central bank's Financial Policy Committee has been considering its tolerance for disruption to the key economic functions that the finance sector performs.
As part of this work "it is likely that the FPC will set a minimum level of service provision it expects for the delivery of key economic functions in the event of a severe but plausible operational disruption," Nelson told his audience.
The bank is working with the FCA on a discussion paper as it builds a common framework for regulators looking to ensure firms' resilience in the face of tech-based problems.
"I would like our firms to be on a WAR footing: withstand; absorb; recover," said Nelson, adding that firm will be expected to set their own tolerances for key business services. They should also regularly test their approaches to incidents and have viable contingency plans in place for the resumption of critical functions.
Nelson also touched on a growing concern for regulators around the world: the increasing reliance of financial services firms on a small number of third party tech providers, particular when it comes to the cloud.
He warned: "[T]he dominance of just a few providers means that many buyers are not in a strong position to negotiate contract terms with their cloud provider. This can leave them badly squeezed between regulatory requirements that will often look through an outsourcing and little leverage with their cloud supplier who is unregulated to deliver against the regulations.
"The concentration of providers is also a concern - given the contagion effect and it has to be acknowledged that they must be a very tempting target to any cyber criminal."
