Financial services firms have been given three months to show regulators how their IT systems will manage the risk of cyber-attack or changes in technology.
The Bank of England, Financial Conduct Authority and Prudential Regulation Authority issued a questionnaire asking companies to respond to a key question about the resilience of their technology systems. Firms have until 5 October to reply.
The regulators want to know how services can be maintained whatever the source of disruption.
A statement from the regulators said: “The challenges for operational resilience have become even more demanding given a hostile cyber-environment and large-scale technological changes.
“As recent disruptive events illustrate, operational resilience is a vital part of protecting the UK’s financial system, institutions and consumers.”
“An operational disruption such as one caused by a cyber-attack, failed outsourcing or technological change could impact financial stability by posing a risk to the supply of vital services on which the real economy depends, threaten the viability of individual firms and FMIs, and cause harm to consumers and other market participants in the financial system.”
The demand from regulators comes after TSB bank’s IT systems went down earlier this year, leaving thousands of customers shut out of their accounts.
The debacle prompted calls for the resignation of chief executive Paul Pester, and underlined the fragility of some IT systems in financial services. Pester was forced into a public apology, though Richard Meddings, TSB’s chairman, has defended his CEO.
In April it was reported that seven of the UK’s biggest banks were targeted last year by a massive cyber-attack that caused reduced operations or the shut-down of entire systems.
Jo Goodall, senior investigating officer at the National Crime Agency, said: “Cyber crime, by default, is a threat that crosses borders and our response must be one that utilises the close international law enforcement collaboration that is crucial to tackling this threat.”
She added: “Cyber offenders can act against UK targets from anywhere in the world and this means UK-based offenders can also attack targets in any country. Our success depends on law enforcement, government and industry working together to fight cybercrime.”
Last year’s bank attack involved the use of a website, webstresser.org, to launch so-called distributed denial of service (DDOS) attacks. Police in the UK, Netherlands, Serbia, Croatia and Canada were involved in shutting down the site.