Operational Resilience for Financial Services: A Perspective from the U.S.

Regulators across the globe are working to mandate steps that financial services firms must take to ensure their operational resilience. This article looks at what’s happening in the United States.

Operational Resilience

7 minutes

Summary

As global financial centers advance their operational resilience frameworks, American financial enterprises are facing escalating responsibilities and requirements aimed at bolstering resilience. Pure Storage solutions can help financial firms address these evolving requirements.

image_pdfimage_print

As the global financial ecosystem has become more digital, complex, and interconnected, regulators and business leaders have recognized the vital importance of operational resilience (OR) to ensure the availability and integrity of global financial markets. From the groundbreaking DORA regulation in the EU, to APAC, and on to the U.S., rules have been enacted that mandate steps that businesses must take to ensure that the OR of their enterprise is maximized. While these rules and regulations have yet to become fully operational, the clock is ticking as the most comprehensive and far-reaching of the regulations is slated to be in place in early 2025. 

We took a global look at the subject of OR in our white paper, “Strengthening Operational Resilience in Financial Services,” and two blogs that focused on requirements in Europe and APAC. In this blog, we turn our attention to the United States, the largest capital market in the world, and sum things up with a look at the common denominators that global regulators and investors are likely to require to ensure resilience at financial services firms.

The U.S. Regulatory Approach to OR

In contrast to the EU, UK, and APAC, the development of an OR regime or standards is not as prescriptive in the U.S. To date, OR efforts have appeared in the forms of advisories or interagency cooperation rather than rules and regulations. Specifically, these have come from the Cybersecurity & Infrastructure Security Agency (CISA), Federal Financial Institutions Examination Council (FFIEC), and the National Cybersecurity Strategy (NCS) from the White House.

  • CISA is a part of the Department of Homeland Security and has responsibilities that include risk assessment, vulnerability reduction, threat detection, incident response, and the coordination of recovery efforts with other federal agencies, state and local government, and the private sector. CISA’s focus is on voluntary collaboration across all “critical infrastructures” in the U.S. 
  • FFIEC has a much broader and even less specific mandate than CISA. FFIEC is an interagency body composed of the heads of the five federal banking agencies: the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, the Office of the Comptroller of the Currency, and the Consumer Financial Protection Bureau. In general, their role is coordination and advisory, not regulation per se. 
  • NCS from the White House was released in the spring of 2023. Its broad mandate extends beyond financial markets to include areas such as energy infrastructure and healthcare systems. Like nearly all efforts in the U.S., the NCS relies more on cooperation than regulation, and as a Government Accountability Office (GAO) report pointed out, to implement the strategy, the Administration needs to establish specific objectives and performance measures, resource requirements, and roles and responsibilities.¹

Financial services firms that operate solely within the United States are generally not required to adhere to strict OR principles or rules but that likely isn’t where the story ends. For one, most financial institutions have some, or even substantial, operations outside of the U.S., exposing them to the more stringent requirements that exist elsewhere. Also, past precedent suggests that regulatory oversight of OR is likely to become more uniform and standardized over time. While the U.S. may currently have a liberal regime that should not be expected to last. In fact, according to a recent statement by the Acting Comptroller of the Currency, federal banking agencies are currently considering changes to the U.S. operational resilience framework reflecting the fact that “the sheer magnitude of what can be disrupted has increased significantly—a trend likely to continue for the foreseeable future.”²

Lastly, the global regulatory push to increase operational and cyber resilience oversight is a response to very real issues, trends, and threats. Simply put, it makes sense to get in front of OR issues and policies at your institution rather than waiting until it becomes a problem.

Common Threads for OR

Across the globe and in the United States, regulators are working to ensure that financial services companies significantly increase the time and attention that they put on operational resilience. Looking across all of these efforts, several themes emerge:

  • Shift from prevention to action: In the past, the standards for cybersecurity have largely emphasized prevention as the key activity to pursue. Now, shifting the focus to resilience, and the recognition that it’s not possible to prevent all disruptive events, the emphasis is placed on making plans to react to extreme but plausible events. In the future, OR plans will be more dynamic and inclusive, requiring more dynamic action, concerted attention, and committed resources.
  • Board or management involvement: In nearly all cases, regulators are weighing in on the levels of involvement and responsibility that management must shoulder when it comes to OR. The penalties and prescriptions are lightly defined at this point, but it’s likely that these will come into sharper focus as time passes. The management mandate may also serve as a basis for civil lawsuits in the case of an incident, leading to greater legal peril for both companies and their managers. 
  • Inclusion of third parties: In legacy security schemes, the focus on defense ended at the “four walls” of the enterprise, while new regimes expand the focus to the full ecosystem, including third-party service providers. In part, this is a nod to the industry’s dependence on hyperscalers like AWS and Azure, but it goes further to include software vendors and other service providers that have an outsized presence and influence. For example, in March 2024, the Federal Reserve Board announced updated risk management requirements for systemically important financial market utilities (FMUs) that provide critical clearing, payment, and other essential services. The updates focus on four key areas of operational risk management: incident management and notification; business continuity management and planning; third-party risk management; and review and testing of operational risk management measures.³
  • Audit and reporting: While OR regulatory programs in the U.S. currently lack “teeth” (fines and penalties for non-compliance), they do have specific requirements relating to auditing and reporting of both planning and incidents. With time, “teeth” are likely to emerge and evolve while, for now, failure to comply with requirements or follow recommended best practices may lead to exposure in civil lawsuits or other legal actions as well as potential reputational damage.
  • Training: Another mandate of most OR regulation is the requirement that training be both thorough and ongoing. Given the technical complexity of the modern enterprise, such training is likely to be complicated and somewhat expensive.

“As the threat surface for disruptions expands, and as authorities in other jurisdictions begin implementing their rules to ensure operational resilience, we are assessing and working with our interagency peers to develop the right approach here in the U.S.”Michael Hsu, Acting Comptroller of the Currency

Pure Storage and Operational Resilience

In the United States, the focus on operational resilience within the financial and other “critical infrastructure” sectors can be expected to steadily intensify. As global financial centers from APAC to the EU and UK advance their operational resilience frameworks, the U.S. is also making significant strides. American financial enterprises are facing escalating responsibilities and requirements aimed at bolstering resilience. It’s becoming increasingly clear that over the next several years, financial institutions operating in the U.S. will be required to establish and uphold stricter operational resilience programs no matter where they operate.

Pure Storage, along with our partners, can help financial firms address these evolving requirements. Pure Storage solutions support operational resilience by design: Our all-flash configuration maximizes speed, simplicity, and flexibility. Our offerings come with built-in data protection capabilities, such as SafeMode, Rapid Restore, and the Pure1® Data Protection Assessment. Pure Storage also offers a ransomware recovery SLA in Evergreen//One and a Zero Data Loss Guarantee for both Evergreen//Forever and Evergreen//Flex. In all, financial firms can have peace of mind that maximum data security is built in at Pure Storage and that recovery in the event of a disruption will be optimized.

To learn more, download our white paper, “Strengthening Operational Resilience in Financial Services,” or contact us for a free expert consultation.

¹https://www.gao.gov/products/gao-23-106826
²“U.S. Bank Regulators Weigh New Operational Resilience Requirements
³“Federal Reserve Board announces final rule that updates risk management requirements for certain systemically important financial market utilities (FMUs) supervised by the Board