SFC publishes report on operational resilience and remote working arrangements

Background

On what has been a core priority from the Financial Stability Board in various guises since 2013, and a core component of the 2021 work program, Hong Kong's Securities and Futures Commission (SFC) joined the chorus with its publication of the Report on Operational Resilience and Remote Working Arrangements (the Report) on 4 October 2021. Much of the Report brings together supervisory discussions with licensed corporations (LCs) during the COVID-19 pandemic as well as leveraging international best practices.

The initial stages of the pandemic in 2020 proved to be a live testing ground for LCs who quickly had to understand the reliability of their information systems, adaptability of internal controls, facilities available for providing client services and the management of third-party service providers. A high degree of operational resilience (i.e. the ability to prevent, adapt, respond to, recover and learn from operational disruptions) helped many LCs to maintain business as usual. Remote working, particularly working from home, has now become part of many LCs’ ongoing business continuity strategy.

Key takeaways

A. Operational resilience

The Report lays down a set of operational resilience standards covering:

1. governance;
2. operational risk management;
3. information and communication technology including cybersecurity;
4. third-party dependency risk management; and
5. business continuity plan and incident management.

To strengthen operational resilience, it is crucial for LCs to build a framework to prepare for, adapt and respond to disruptive incidents. The Report sets out the SFC’s (i) required implementation measures (which supplement the SFC’s existing guidance), (ii) suggested techniques and procedures for an effective governance framework and (iii) case examples in respect of each operational resilience standard. We have summarised the key measures in Table 1.

LCs are also recommended to implement all necessary policies, procedures and controls which are commensurate with their business size and complexity. This framework should be effective in ensuring compliance with the operational resilience standards and required implementation measures.

B. Remote working

The Report sets out the expected regulatory standards for managing risks of remote working, which we have summarised in Table 2.

We note in particular that, given a hybrid mode of working is highly likely to continue, LCs should be particularly vigilant when it comes to cybersecurity, information security and data privacy. Once again LCs will need to consider this based on their size to ensure the effectiveness of the framework adopted for complying with the expected regulatory standards.

The UK’s approach

The UK is further advanced on this thematic, having commenced work three years back which culminated in March 2021, with the UK’s Financial Conduct Authority, Prudential Regulatory Authority and the Bank of England publishing a joint final policy on operational resilience (Policy Statement 21/3 Building Operational Resilience), which requires financial institutions to:

• by 31 March 2022, have identified their important business services, set impact tolerances for the maximum tolerable disruption and carried out mapping and testing to a level of sophistication necessary to do so; and have identified any vulnerabilities in their operational resilience; and
• as soon as possible after 31 March 2022, and no later than 31 March 2025, have performed mapping and testing so that they are able to remain within impact tolerances for each important business service; and have made the necessary investments to enable them to operate consistently within their impact tolerances.

Concluding remarks

The SFC focus in relation to operational resilience outlines an important guide on how to consider, among other considerations, governance, third-party risk management and business continuity issues ahead of time. It is expected that the operational resilience landscape will continue to develop both at a domestic and international level, with the UK providing a good sense of direction of what this will look like in its final state. As very few information technology structures are “jurisdiction specific”, LCs operating cross-border should be mindful of the regulatory position in multiple countries and prepare to respond to this rapidly changing area.

We recommend that LCs:

• understand the inherent risks by carrying out a mapping exercise on the LC’s resilience at regular intervals to highlight key areas to develop;
• address the risks identified by taking decisive and effective actions to maintain operational resilience;
• conduct ongoing reviews of evolving risks – both internally and as observed in other LCs;
• build a robust governance structure with accountability by senior management – this may include reporting operational risk events and other assessments at board meetings; and
• follow regulators’ recommendations where available.

Although regulatory expectations are increasing, LCs can benefit from a holistic operational resilience framework if risks are properly managed. We will continue to keep you up to date on the upcoming regulatory developments in this area.