UK Treasury Committee to Focus Regulators on System Availability and Cloud Concentration Risk
How Citihub Digital helps clients assess and mitigate resilience risks
On the 28th October, The Treasury Committee issued the findings of its investigations into a string of high-profile IT outages in the UK’s financial services sector. The report directs regulators to intervene to improve the operational resilience of systemically important systems. This is expected to include:
- Increased levies to fund a recruitment drive that will enable regulators to focus on the specific challenges of IT resilience;
- Expanding the Senior Managers regime to include Financial Market Infrastructure firms (e.g. those that provide payments systems);
- A specific focus on the concentration risks associated with third-party providers (the report specifically highlights cloud services providers).
Several things stand out. Firstly, the report highlights that the cost and complexity of system upgrades cannot be used as an excuse for not replacing legacy systems. It directs regulators to make specific interventions to ensure that customers are not exposed to the inherent risks associated with these legacy systems. Secondly, the identification of the concentration risk with, and the systemic importance of, the CSP market is a first. Furthermore, it is supported by the strong suggestion that it may now be necessary to regulate the operational resilience of CSPs.
The implications will be far-reaching both in terms of the operational resilience programmes that most financial services firms are mobilising but also how replacements for legacy systems are engineered, sourced and provisioned. Since 2007, Citihub has worked extensively with leading financial institutions to proactively identify and mitigate Application Availability Risk. Or proprietary Application Availability Assessment (AAA) methodology has been used across the street to assess systemic risks in 200+ mission critical applications and to scope, prioritise and fund mitigation. In 2018, AAA was developed further and has now become Application Risk Assurance (ARA) to recognise the changing focus and priorities of both regulators and institutions, and to combine client feedback and the experiences of the Citihub team.
The ARA’s philosophy is:
- Holistic – it considers the entire IT stack crossing the boundaries between application and infrastructure and spanning all aspects of people, process and technology;
- Rapid – it encompasses a wide spectrum of review areas using detailed questionnaires, risk/availability data points and design artefacts to accelerate the assessment and quickly develop a deep understanding of systems and risks;
- Risk Focussed – it identifies current and future risks, rated by impact severity and probability;
- Actionable – it produces prioritised actions and actionable mitigations that are ordered by benefit and complexity;
- Constructive – proven models and decision support materials help stakeholders make well-informed and effective decisions to either accept risks or take action;
- Tried & Tested – the framework and standard artefacts have been successfully used for more than 40+ client engagements and 200+ applications.
Citihub’s practitioners have deep financial services expertise across the whole of the IT stack. Using these skills, the approach is a structured engagement of stakeholders across (often) siloed functions: IT, Application Development, Operations, IT Sec and Risk. It embraces the observed best practices and international standards that are used by regulators as an assessment baseline (e.g. ISO27001 for Information Security as the baseline and the NCSC Cyber Risk Assessment as the minimum assessment bar). The assessment process uses an evidence-based method (e.g. architecture designs, asset registers, risk registers, help desk tickets and so on) as well as Citihub’s own experiences.
The outputs of the ARA are designed to position clients to avoid enforcement actions. Specifically, the deliverables highlight critical risks and their remediations providing a solid baseline and a well-defined plan of remedial actions.
After a number of high-profile IT outages at several large banks, regulators are being directed towards an increased focus on operational resilience. Partner Ian O’Hara discusses how Citihub Consulting is helping clients to mitigate application availability and resilience risks
NYU partnered with Citihub to offer a course on public cloud security technologies
Citihub was recently added as an industry partner to New York University’s (NYU Tandon) Cyber Security program. Exclusive to NYU Cyber...
Ian Tivey & Jim Oulton Named Technical Directors
Ian Tivey and Jim Oulton have been promoted to Technical Directors, a role reserved for senior leaders in Citihub who provide...
In the press
Using a ‘Three Lines of Defense’ Program to Balance Development Stakeholder Needs
Using the NIST three layers of defence as a framework, Citihub’s Glen Notman outlines how to leverage agile development capabilities and underpin them...
In the press
The Balancing Act
In this podcast, we will go into the details of how the “technical” automation-for-speed perspective is shifting to a “business-centric” perspective...
Life (and work) in the time of Corona
Less than two months after starting his job at Citihub, Senior Consultant Luis Carrazana, together with the rest of New York,...
In the press
Role of Security in a Digital First Enterprise
Join Citihub’s Glen Notman as he injects practical insights on how to enable security practices in a digital enterprise.
In the press
Compliance Challenges in a Lockdown World
The ongoing coronavirus crisis has changed business norms around the world, but as organisations struggle to come to terms with large-scale...
In the press
Institutionalizing DevSecOps in the Large Enterprise
Citihub’s Chris Zanelli, joined by several industry peers, will discuss topics across DevOps & DevSecOps, Enterprise Compliance as Code, Cloud Compliance...
Military Veterans are Welcome at Citihub Digital
This Memorial Day, when the rest of the United States of America will pay tribute to the military personnel who have...