LONDON (Reuters) - Britain’s major banks will have to meet targets for recovering from cyber attacks and other disruptions to key services, a senior Bank of England official said on Wednesday.
Lyndon Nelson, deputy chief executive of the BoE’s Prudential Regulation Authority arm, said banks needed to be resilient to cyber attacks, or IT disruptions like those at British bank TSB (SABE.MC), where customers were unable to access their accounts because of computer problems.
He said the BoE’s Financial Policy Committee had been considering its “tolerance for disruptions” to key functions in the finance sector.
“As part of this work, it is likely that the FPC will set a minimum level of service provision it expects for the delivery of key economic functions in the event of a severe but plausible operational disruption,” Nelson told a conference.
The BoE will publish a discussion paper on operational resilience.
“I expect this to be a substantial body of work, so it is likely that we will ... focus on some key economic functions and key providers,” Nelson added.
He said that “tolerances” for IT outages would use a combination of benchmarks, such as time, volume of business, and market share.
Nelson said financial services companies were often at their most vulnerable when embarking on change.
“They often discover too late that weaknesses in their resilience can jeopardize the success of a major project even if those involved believe that they have carried out robust testing,” he said.
TSB, owned since 2015 by Spanish bank Sabadell, found that thousands of customers were locked out of their accounts after a botched migration of its computer systems. Some of its customers’ accounts were hit by fraud.
“It is not surprising ... that management and boards of firms have been pushing operational resilience ever higher on their agenda,” Nelson said.
He said firms would have to test their tolerances and demonstrate to their supervisors that they had concrete measures in place to deliver resilient services.
“And firms need to be able to recover from an operational incident. This requires viable, tested contingency plans for the resumption of critical functions.”
Reporting by Huw Jones; Editing by Catherine Evans and Jane Merriman