What is PS21/3? Why time’s running out to comply with the UK’s DORA

Posted: March 11, 2025 | Author: | Filed under: cybersecurity | Tags: , , , , , , , , , , | Leave a comment

Plenty has been written about the need for financial services firms to enhance operational resilience. But most of those column inches have until now focused on the EU’s Digital Operational Resilience Act (DORA), which came into force in January – even if many UK banks may not yet be compliant. Arguably more important for a larger number of British financial services companies is the Financial Conduct Authority (FCA)’s new Policy Statement: PS21/3.

Alongside the Prudential Regulation Authority (PRA)’s Supervisory Statement SS1/21, it forms a series of exacting new requirements for the sector that must be in place by 31 March 2025. For any organisations thinking of quietly deprioritising these efforts, a “Dear CEO” letter from the FCA in early February should focus minds.

The bottom line is that the regulator expects compliance. Fortunately, ISO 27001 can help in-scope organisations to create the culture of operational resilience that the FCA, PRA and DORA demand.

Digital change means digital risk

Like most sectors, financial services has grown steadily more dependent on digital infrastructure to stay competitive and provide the seamless online experiences that customers crave. As of 2024, some 86% of UK adults used online banking, and the figure for this and mobile banking is set to continue climbing upwards over the coming years – thanks partly to the disruptive impact of fintech firms. The UK market for these businesses is set to be worth over $24bn (£19bn) by 2029.

The challenge with the growing pace of this digital transformation is the extra risk that comes with it. An increasing reliance on technology exposes banks and other firms to a greater risk of digital extortion, primarily from ransomware, while at the same time expanding the attack surface so that breaches become almost inevitable. That’s a potentially serious reputational and financial risk. According to the International Monetary Fund (IMF)’s Global Financial Stability Report, more than 20,000 attacks on the banking sector have caused losses exceeding $12bn (£9.5bn) over the past 20 years. Additionally, “extreme losses” have more than quadrupled since 2017 to $2.5bn (£2bn).

However, cyber risk does not always stem from malicious third parties. At the end of January, a major Barclays IT outage left countless customers high and dry, unable to pay taxes, bills and mortgage payments, or even access correct information on their accounts. The fallout has been predictably torrid for the high street lender, which at the time of writing had still not explained the cause of the incident.

What the FCA wants

That’s why the FCA for one appears to be keen to increase regulatory requirements around digital operational resilience in the sector. PS21/3 demands that banks, building societies, insurers, payment providers and others get the following in order before the end of March:

  • Identify the organisation’s most important business services and keep them regularly under review
  • Set impact tolerances for each of these services and regularly review them
  • Identify and document the people, processes, technology, facilities, and information needed to deliver key services. This includes any supplier relationships which could impact the organisation’s ability to remain within impact tolerance limits
  • Develop testing plans which describe how the organisation can remain within impact tolerances for each “important business service” – identifying plausible scenarios aligned to risks and vulnerabilities. This will help senior managers ensure vulnerability remediation plans are appropriately funded
  • Develop and test incident response plans
  • Deliver a self-assessment in line with handbook guidance to the relevant governing body. This should highlight the organisation’s journey to operational resilience, including an overview of vulnerabilities found, scenarios tested (plus their outcome), remediation plans, and the overall strategy for remaining within impact tolerances for all important business services
  • Regular horizon scanning to help understand new and emerging risks, and ensure the right controls are in place to detect, respond to and recover from operational disruptions

The FCA has already published some observations on current compliance efforts, which it says should help to guide financial services companies as they assess readiness and finalise PS21/3 plans. The regulator is particularly keen to ensure that third-party risk is continuously and actively managed by in-scope companies, including through testing where appropriate. And that remediation plans are fully funded. It also demands that complying organisations do not treat PS21/3 as a “once and done activity”, but instead embed its requirements into corporate culture.

How ISO 27001 can help

This is where ISO 27001 comes into its own. According to ISMS.online chief product officer, Sam Peters, there’s alignment between the standard and PS21/3 in multiple key areas, including:

Governance and Accountability

Both emphasise leadership accountability in setting and overseeing resilience strategies.

Impact Tolerance and Risk Management

Both require risk-based decision-making and setting risk thresholds to maintain resilience.

Testing and Scenario Analysis

Both require regular testing to assess and improve operational resilience so that organisations can handle disruptions effectively.

Third-Party Risk Management

Both require due diligence on third parties, although ISO 27001 provides a structured approach for managing supplier security risks.

Incident Reporting and Response

Both require incident response planning, although “ISO 27001 goes further by ensuring incident handling is documented, monitored, and improved over time,” according to Peters.

Continuous Improvement and Learning from Disruptions

Both emphasise learning from disruptions to continuously enhance resilience.

“Firms using ISO 27001 already have a solid foundation for meeting FCA resilience requirements, especially in risk management, incident response and continuous improvement,” says Peters. “By leveraging ISO 27001, financial services firms can strengthen compliance with FCA rules while enhancing their overall security posture and resilience.”

As mentioned, the new FCA rules also share core principles around operational resilience with DORA. This includes greater leadership accountability, third-party resilience, improved incident response, and “mapping critical services, identifying vulnerabilities, and setting risk thresholds,” says Peters. Although the two regimes differ in terms of scope and enforcement, this offers an opportunity for UK financial firms operating in the EU to align FCA operational resilience strategies with DORA’s, using ISO 27001 as a foundation.

This will ultimately “help streamline compliance efforts and reduce regulatory risks”, Peters concludes.

This article was originally published on ISMS.online.

Will the Data Protection and Digital Information Bill actually cut red tape?

Posted: June 2, 2023 | Author: | Filed under: cybersecurity | Tags: , , , , | Leave a comment
Photo by Andrea Piacquadio on Pexels.com

The government’s much-vaunted successor to the GDPR is still working its way through parliament. The Tories are hoping for obvious reasons that it shows how nimble the UK can be in post-Brexit regulation. But will the Data Protection and Digital Information Bill (DPDI) actually achieve the operational compliance benefits for UK PLC that the government is claiming?

Legal experts I spoke to for a new feature are sceptical.

To cut or not to cut?

Cutting red tape is one of the government’s biggest claims for the legislation, which it says will end up saving UK organisations billions over the coming decade. The government claims it will reduce “pointless paperwork” without impacting data adequacy with the EU, which is essential to seamless cross-border data flows.

Antonis Patrikios, global co-chair of global privacy and cybersecurity at Dentons, argues that it could make life easier for some firms.

“It could do so by significantly reducing the instances in which documented assessments or records of processing are required or replacing the requirement for the statutory role of the Data Protection Officer (DPO) with a requirement to appoint a Senior Responsible Individual, a member of senior management,” he tells me.

However, Edward Machin, a senior lawyer in Ropes & Gray’s data, privacy & cybersecurity practice, says that these benefits will only be felt by organisations that are subject solely to the UK GDPR. In other words, those with operations in the EU must either choose to maintain two separate compliance regimes, or else make life easier by sticking to the EU GDPR regime—which they’re allowed to under the new DPDI. If they do the latter, they’ll miss out on those much-touted red tape-cutting benefits.

“Businesses that have an existing compliance programme in place which meets the requirements of the EU GDPR may choose to maintain the status quo in certain respects even where not legally required (e.g., DPOs), given the benefits that doing so could have both for their internal processes and the external trust which will be gained by maintaining what are seen to be higher data protection standards,” Machin tells me. 

“But UK companies that are also subject to the EU GDPR—or vice versa—will still have to comply with the more restrictive EU standard. Given that most of these organisations are unlikely to operate dual compliance programmes, particularly where they have spent significant time and money building an EU GDPR compliance framework, the benefits of being subject to a lighter-touch UK regime will probably be limited.”

Bad timing

What’s more, the new bill couldn’t come at a worse time for compliance teams already facing new GDPR-like legislation in several US states. The good news is that there will be some crossover, according to Machin.

“Compliance teams tend to be overwhelmed at the best of times, and the flurry of new data laws in the UK, EU and US isn’t going to lessen their workloads. That said, the good(ish) news is that many of these laws are underpinned by the same, or very similar, core principles and obligations—particularly those around transparency, accountability, security and individual rights,” he concludes. 

“This means that existing compliance programmes can be tweaked to meet the new or differing requirements of these laws, rather than starting from scratch each time.” 

One Year to GDPR Compliance Deadline: Time to Panic Yet?

Posted: May 25, 2017 | Author: | Filed under: Uncategorized | Tags: , , , , , , , , , | Leave a comment

european unionEurope’s new data protection laws might have been over a decade in the making but it would take about as long again to read every piece of advice that’s since been produced on how to comply. In search of some simple answers to a typically complex piece of European legislation, I asked a few legal experts on their thoughts.

With 13 months to go before the compliance deadline, organisations across the country will be scrabbling to ensure they’re not one of the unlucky ones caught out in the months following 25 May.

Start with the Data

Most experts I spoke to were in agreement that firms need to start by mapping their data – after all, you’ve got to know where it is and what you do with it first before working out how to keep it safe.

“For those that are compliant with existing laws, GDPR is going to be an evolution. For the others, it’s going to be a deep, radical change. In general, I think that every organisation should be working on assessing their current practices in light of GDPR,” Forrester analyst Enza Iannopollo told me.

“My advice is, regardless of the kind of support an organisation chooses, it must put together a team of internal people – hopefully the privacy team – and make sure that that team leads the work. Compliance with GDPR is not a one-off effort, but an ongoing process that has to be ingrained in firms’ business model,” she said.

Change the culture

That cultural change might be the hardest thing for organisations to achieve, although a good start is hiring a Data Protection Officer (DPO) – one of the key requirements of the GDPR. Another is the privacy impact assessment, which PwC’s US privacy lead, Jay Cline, recommends as a key stage once you’ve completed a data inventory.

“Data protection impact assessments (DPIAs) are the eyes and ears of the privacy office throughout the company,” he told me by email. “DPIAs are how chief privacy officers enlist the help of the whole company to keep their privacy controls current with all the change going on in the company.”

For Alexandra Leonidou, Senior Associate at Foot Anstey, there’ll be a key role for non-IT functions inside the organisation.

“Who needs to know about the GDPR? Who are the key stakeholders?  This isn’t just something for IT, information security teams or data officers. Boards should be aware of the risks, and HR teams need to think about employee data. Getting GDPR compliance right will be critical for marketing and communications teams’ activity,” she told me.

“You will need to engage key stakeholders and implement measures that leave you with an acceptable level of commercial risk.”

Leonidou was also keen to stress the need for independence in the DPO role.

“Guidance from Europe suggests that this role is likely to be incompatible with certain existing C-suite executives,” she explained. “The awareness-raising that follows on from the allocation of accountability will be an ongoing process.”

For those still in the dark, some useful free resources include the Article 29 Working Party and our very own Information Commissioner’s Office. It’s also expected that even post-May 25, the regulators will give firms a little bedding in time before they start going after some high profile offenders.

The British People Have Spoken … and That’s Bad News for Tech

Posted: July 15, 2016 | Author: | Filed under: Uncategorized | Tags: , , , , , , , , , , , , , | Leave a comment

european unionIt’s hard to find an optimist in the cyber security industry in these post-referendum days. I spoke to a fair few for an upcoming feature for Infosecurity Magazine and the consensus seems to be that a Brexit will be bad for staffing, the digital economy and the financial stability of UK-based security vendors.

That’s not even to mention the legal and compliance implications. Chatham House associate fellow, Emily Taylor, recommended firms continue on the road to compliance with the European General Data Protection Regulation. Aside from the fact that any firms with EU customers will still need to comply with the far-reaching law, she reckons that if we want to protect the free flow of digital information between the EU and UK, we’ll need to continue following European laws in this area.

Snoopers gonna snoop

However, a Brexit would cause other problems, notably in that the current Snooper’s Charter looks like it will enshrine in legislation the principle of bulk surveillance – the very thing which effectively led to the scrapping of the Safe Harbour agreement between the US and EU. If this bill goes through as is and we go out of Europe but stay in the single market, we’ll have to change that bit, Taylor told me.

“A case brought by David Davis and Tom Watson questioning the legality of bulk surveillance powers under the old DRIPA laws is currently being considered by the CJEU,” she explained.

“It’s not clear which way the CJEU will go on this, because many member states have lined up to support the British approach. However, if CJEU follows its recent decisions, it could strike down bulk data collection. If we wanted to stay in the single market, we’d have to amend our IP Bill in response.”

Even if we broke away from Europe completely and adopted the status of a “third country” like the US, we’d still have to adopt measures “to give equivalent protection to EU citizens’ data as they enjoy within the EU,” she argued. And bulk surveillance would certainly be a no-no in this scenario.

The uncertainty – which could continue potentially for years while Brexit deals are worked out – is also viewed by many as damaging to the cyber security industry, and tech in general. Immigration lawyer and partner at MediVisas, Victoria Sharkey, claimed firms may be unwilling to employ skilled workers if there’s a chance they might have to leave in a couple of years’ time.

“This is certainly going to be the case where significant training and investment is involved,” she added.

In fact, EU nationals are apparently already packing their bags.

“I am already seeing EU nationals who have been here for years make plans to leave and either go home or go to another EU country.  They are worried for their jobs, are worried that they will be told to leave and so would rather leave on their own terms, and they are also being made to feel unwelcome,” Sharkey continued.

“I feel that when we do leave that it is going to become significantly harder for UK employers to encourage the best in their industry to come and work in the UK.”

This, for an industry which has always struggled with skills gaps and shortages, is potentially catastrophic.

Can we overcome?

Philip Letts, CEO of global enterprise services platform blur Group, has run businesses in Silicon Valley and the UK. He also pointed out the potential damage that political and financial uncertainty could have on the industry.

“The politicians are in unchartered territory. We don’t yet have a clear timetable for the triggering of Article 50, nor the trade deals that are going to have to be negotiated. There is a political vacuum. Business confidence is low and many will hunker down, try to avoid risk and wait for this to play out,” he told me.

“Globally, the US tech heavyweights will want to remain in the UK and the EU, and they will do both, operating across different European centres. But the EU market is more lucrative than the UK, so things may shift over time.”

So is the tech and cyber security sector really doomed? Not so, according to KPMG UK head of technology, Tudor Aw.

“I believe the resilient UK tech sector can withstand the challenges of Brexit and thrive,” he told me.

“Technology is increasingly a key sector that underpins all other sectors – whether it be back office systems or strategic enablers such as IoT and data analytics. Companies will need to invest in technology to drive efficiencies and strategic growth – one only has to look at developments across a diverse range of sectors such as healthcare, automotive, property, retail and the military to see that technology spend will only increase regardless of Brexit.”

It’s a moot point now, but I wonder how much better it could have thrived had we not voted out on 23 June.