The Regulator is on to YOU.

The Financial Services regulator has, in recent times, taken a very close interest in the operational resilience of organisations over which they have influence. Consequently, these organisations have a responsibility to ensure that their Important Business Services (IBS) are robust, stable and available to customers 24/7. Unavailability of business services, regardless of the cause, serve only to frustrate customers, damage reputations and potentially result in significant sanctions from the regulator.

In considering how to best to bring about changes in the way financial institutions think about their operational resilience the Financial Services regulator published their expectations in March of 2021, these included:

  • Requiring institutions to identify their IBS and to map the assets and resources that support them.
  • An expectation that institutions identify their vulnerabilities and invest in protecting them and their customers.
  • An assumption that operational disruptions will happen and that institutions are prepared to respond to them effectively.

The regulations come into force in March 2022 and the implementation period ends. A three year transitional period then begins during which time businesses must address gaps and vulnerabilities as soon as is reasonably practicable. This transitional period ends in March 2025.

What is the threat?

While there are many reasons that an IBS could be adversely impacted it is acknowledged that one of the most likely and disruptive is a cyber-attack and these are increasing exponentially in both frequency and sophistication. The occurrence of a successful and damaging cyber-attack on a financial institution is not a case of if, it is a case of when, and while every institution has controls in place to mitigate the risk many have not determined in detail how they would recover IBS when an attack has actually occurred.

There are many different types of cyber-attack, of which any one could affect your business. I do not intend to go into details of each as these will be well known to your operational resilience and threat monitoring teams.

By far the most common is ransomware and consequently it is defence against this type of attack that most businesses focus their attention on. With ransomware attacks there is nearly always a solution, as the name suggests, by paying the ransom. However, there are many more destructive forms of attack from which there is no easy recovery.

So what should/could you do?

Having robust and regularly tested controls measures in place will help in providing reassurance to customers, third parties, regulators and Board, however, consider a situation where all of your existing controls have been breached and you are now being subjected to a sustained attack. A prolonged period of threat identification, damage containment and system rebuild will invariably push recovery times beyond risk appetite.

Imagine having an offline copy of up to date and immutable IBS components, including the supporting critical infrastructure elements from which these IBS could be reinstated quickly and with confidence. This possibility exists with the development of a bespoke Cyber Recovery solution that has been designed to meet your own individual requirements and to integrate with your own specific resilience posture, control measures and risk appetite.

Barclay Simpson Solutions has significant expertise in developing Cyber Recovery solutions, if this is something you wish to explore further reach out, we are waiting to talk to you.

Empower change through Barclay Simpson Solutions’ bespoke delivery model

Your vision for change and improvement should not be compromised by blueprint consultancy delivery models. Barclay Simpson Solutions creates bespoke, tailor-made, and adaptable solutions to suit the individual needs of your organisation and your project. Get in touch today to discuss your needs:

Barclay Simpson Solutions

20 Farringdon Street, London EC4 4AB

Tel: 020 7936 8999 Email:

Share this

Looking for more?

Contact us

What we think

  • Meet the team: Chris Wilkinson, director at BSS
  • Understanding the Minimum Viable Company, Important Business Services and Minimum Viable Service Concepts for Cyber Recovery
  • Continuity of Important Business Services – Recovery from Cyber Attack