On 13 December 2024, the Prudential Regulation Authority (PRA) issued Consultation Paper 17/24 ‘Operational resilience: Operational incident and outsourcing and third-party reporting’ (CP17/24).

Rationale

The proposed policy in CP17/24 would allow the PRA to collect good quality, consistent data focusing on operational incidents and material third-party arrangements which pose the most risk to firms and the financial sector.

Structure

Chapter 2 of CP17/24 sets out proposals relating to the operational incident reporting and the PRA’s proposed expectations and requirements are found in Appendices 1 and 2. The proposed rules set out specific operational incident reporting requirements for firms and this includes a definition of an operational incident and clear, proportionate thresholds for reporting.

The operational incident reporting proposals would apply to the reporting of an ‘operational incident’, which the PRA proposes to define as either a single event or a series of linked events which disrupts the firm’s operations such that it: (i) disrupts the delivery of a service to an end user external to the firm; or (ii) impacts the availability, authenticity, integrity or confidentiality of information or data relating or belonging to such an end user.

The PRA proposes that firms would be required to report an operational incident when it meets one or more of the thresholds set by the PRA (see Chapter 24 of the Regulatory Reporting Part of the PRA Rulebook and Chapter 2 of the draft new supervisory statement in Appendix 2). A non-exhaustive list of examples of operational incidents which would breach the PRA’s incident reporting threshold have been set out in the draft new supervisory statement. These include cyber-attacks, process failures, system update failures and infrastructure problems.

Chapter 3 sets out proposals relating to outsourcing and third-party reporting. In this chapter the PRA is proposing to:

  • Expand the scope of existing third-party arrangements data collections to cover both material outsourcing and non-outsourcing (‘material third-party’) arrangements.
  • Require firms to submit material third-party Notifications in a standardised format, using a template which is aligned with the Register.
  • Require firms to maintain and submit a Register to the PRA, ensuring this is up to date at least annually.

Next steps

The deadline for comments on CP17/24 is 14 March 2024.