On 2 May 2018, the Bank of England (BoE) published its feedback to its February 2018 consultation which proposed a new rule relating to incident reporting for UK central counterparties (CCPs). The proposed new rule formalises the requirement for CCPs to notify the BoE of certain incidents having an impact on their information technology systems.
In its feedback to the consultation the BoE states that it is proceeding with the new rule. The BoE also makes the following points in its feedback:
- the rule requires a CCP to give to the BoE written notice of an incident having a significant impact on the continuity of services it provides. The BoE has considered whether it would be beneficial to define the term ‘significant’, for instance, by reference to specified ex ante thresholds for reporting under this rule. However, it has concluded that CCPs would be better placed to determine the significance of impact of an incident on the continuity of services they provide, given the broad scope of incidents that may occur and wide ranging impacts these could have, and has therefore chosen not to define the term;
- under the rule a reportable incident is one that has actual adverse effect on the security of information technology systems. This means that the cause of the incident is not the determinative factor in whether an incident needs to be reported, as the rule relates to the impact of the incident. The rule includes cyber incidents, non-cyber incidents, and incidents that are both cyber and non-cyber – i.e. any type of incident that has the relevant adverse effect; and
- the rule requires CCPs to notify the BoE of relevant incidents as soon as reasonably practicable, which may include intraday reporting. CCPs, and financial market infrastructure (FMI) more generally, provide essential services that are vital to the stability of the financial system. The timeliness of an FMI’s intraday functions is critical in providing services. Additionally, the BoE has existing supervisory expectations of timely notification of incidents by FMIs.
The new rule is effective and binding on CCPs from 7 May 2018.