The recent cyberattack on Tesco Bank’s IT systems has prompted Rt Hon. Andrew Tyrie MP, Chairman of the Treasury Committee, to call on regulators to take action against vulnerable bank IT systems:

“Making sure that banks improve their IT systems, and their resilience to cybercrime, is also a responsibility of regulators. We will raise this issue with them again shortly. We can’t carry on like this.”

The call follows earlier correspondence on this topic between Andrew Tyrie, various major UK banks, the FCA and the PRA.

In anticipation of greater regulatory scrutiny on IT outsourcings by financial services firms, here are 3 preparatory steps that regulated entities should consider taking:

1. Re-evaluate material outsourcings against regulatory requirements – It is advisable to re-evaluate whether material outsourcing arrangements meet the relevant regulatory requirements (both in relation to the outsourcing arrangements themselves, and firms’ retained oversight functions). Chief among these requirements are SYSC 8 from a banking perspective, and Solvency II from an insurance perspective. The FCA’s recently updated guidance for firms outsourcing to the ‘cloud’ and other third party IT services will also be relevant. Such guidance includes greater clarity on issues relating to physical access, risk management expectations, data access provisions and expectations around exit plans.
2. Review service level performance and consider whether service levels are incentivising the right behaviours – An important factor in complying with the above requirements will be the documented service levels that apply to each outsourcing arrangement. Review historic service level performance over the life of each arrangement and consider whether the service levels (which may have been originally agreed with a focus on the early phases of the outsourcing) are incentivising the right behaviours from both the supplier’s and the customer’s personnel.
3. Check how changes to regulatory requirements are addressed in key contracts – In preparation for potential regulatory action, it will also be important to check how changes to regulatory requirements are addressed in key outsourcing contracts, including: (i) whether the customer has the right to require compliance with updated requirements; (ii) the process for implementing any necessary changes; and (iii) how the costs of compliance will be split between the parties.The full Commons Select Committee press release can be accessed here

Maintaining the integrity, availability and confidentiality of data including by ensuring reliability of service providers and including robust contractual provisions when appointing them is also at the heart of the principles in the new General Data Protection Regulation (GDPR) coming into force in by 25th May 2018. Similarly, it drives the provisions of the Network and Information Security Directive (NISD) which will apply to many financial services institutions as critical infrastructure providers. The new GDPR significantly increases fines for non-compliance (€20,000,000 or 4% of global turnover) for data breaches, so financial institutions should be considering a wholesale review of their practices to ensure they meet the new standards.