The FCA is collaborating with its regulatory peers to introduce new rules around operational resilience, seeking to mitigate ‘intolerable harm’ arising from disruptive events

In July 2024, the distribution of a faulty update to American cyber security company Crowdstrike’s Falcon sensor software caused millions of systems to crash in what is viewed as one of the largest outages in the history of information technology (IT).

At the time, Microsoft estimated that around 8.5 million Windows devices were directly impacted by the incident.

David Thompson, senior consultant at compliance consultancy Branko, recalled the “chaos” that ensued following Crowdstrike’s global update. The aviation sector, for example, reported that numerous planes had been grounded due to associated IT issues, with organisations such as Ryanair and Edinburgh Airport experiencing challenges.

“[Regulators] want to make sure that, as far as possible, nothing like that hits the financial services industry again,” he told Insurance Times.

“They’ve seen the impact this [type of event] can have if it goes wrong and one of their wider objectives is maintaining financial stability and market integrity. Obviously, if some very big players have problems, that could cause big problems.”

However, Matthew Connell, director of policy and public affairs at the Chartered Insurance Institute, argued that the UK’s increasingly tempestuous geopolitical environment means that further operational shocks for businesses are likely, so “it makes sense on a strategic level to think about how insurers deal with these more turbulent times”.

For example, Connell ringfenced the increasing propensity for organisations to store data in the cloud as a particular vulnerability. He continued: “If that was to go, there would be a huge amount of operational disruption.”

Setting tolerance levels

Luckily, the operational resilience of financial services companies has already been front of mind for the sector’s regulators.

For example, the FCA has been working with the Prudential Regulation Authority (PRA) on developing a new regime to help improve firms’ operational resilience – this has been “a long time coming”, according to Michael Sicsic, managing partner at regulatory and risk consultancy Sicsic Advisory.

Following a three-year transition period which concludes on 31 March 2025, the joint regime – PS21/3 Building operational resilience – will “finally” come into effect, Sicsic said.

Therefore – from 1 April at the earliest – both the FCA and the PRA will expect all insurers and large brokers, defined as those with enhanced supervision under the Senior Managers and Certification Regime rules (SM&CR), to be able to demonstrate they are operationally resilient.

This requirement means that only the biggest brokers, typically not extending beyond the top 10 firms with “much bigger” market share, will be subject to the new regime, pointed out David Sparkes, regulation director at trade association Biba.

This new operational resilience regime is effectively a mini stress test. It puts an onus on firms to highlight important business services that could cause “intolerable” levels of harm if they were disrupted.

Sparkes said: “That doesn’t mean [the firm] will never have a problem. It just means that when [it does] have a problem, it sits within the impact tolerance the firm has set.”

Third party clarity

In December 2024, the FCA and PRA published a consultation paper entitled CP24/28: Operational incident and third party reporting. This is due to close on 13 March 2025.

This paper beefs up the FCA’s principles-based approach within its existing operational resilience framework, proposing a new set of more prescriptive rules for firms around reporting incidents and registering third party suppliers.

The incident reporting rules, which will apply to all FCA authorised firms, set out three thresholds for when firms should report incidents.

These include incidents that could or have caused “intolerable levels of harm” to consumers, situations that could pose or have posed a risk to market stability or confidence in the UK financial system, or events impacting the safety and soundness of the firm and other market participants.

These proposals also set a lower bar for firms to report incidents. This is designed to encourage the reporting of incidents before any “intolerable harm” crystallises or where it has happened, but firms don’t yet know the resulting extent of any potential harm.

In addition, firms will be required to maintain a register of material third party arrangements, which must be submitted to the regulators and kept up to date on an annual basis, explained Dom Pereira, associate at solicitors HFW.

These rules will only apply to the same group of larger companies that are already required to demonstrate their operational resilience.

Under this set of proposals, these affected firms will additionally have to let the regulators know if they are about to enter into or amend an agreement with a third party service provider.

Unlike current reporting arrangements, which only apply to outsourcing, the new requirements will include the purchase of data, hardware, software and other IT products, such as the design and build of an on-premise IT platform.

Based on the information supplied, HM Treasury will identify firms that are deemed to be critical suppliers to the infrastructure of UK financial services, guided by the regulators’ recommendations.

The definition of whether or not a third party supplier counts as critical is based on the number of customers they have and the impact their failure could have on the wider financial markets, added Sparkes.

This means, for example, that brokers’ software house partners are unlikely to count as critical suppliers. Sparkes said: “Even the biggest software house wouldn’t cause a market failure.”

A ‘sensible move’

The introduction of any new requirements – even those around operational resilience – may look to be at odds with the Labour government’s wider push to ease regulatory requirements on businesses.

But Sparkes believes the operational resilience regime is a “sensible move” by regulators to ensure good outcomes for customers.

The new rules also provide greater clarity for insurance companies on what constitutes an operational incident, as well as provides standardised templates for the notification process, added Pereira.

“There is a bit more certainty, which insurers and brokers have been saying was lacking,” he noted.

In addition, improved operational resilience will help to foster a “stronger” market.

Pereira continued: “By designating an entity as a critical third party, that entity will then be subject to a higher level of regulatory oversight under the critical third parties regime.

“Off the back of this, the critical third party should hopefully have better operational resilience, which in turn leads to benefits for insurers and brokers.”