Bank of England: Cloud outages and DDoS attacks pose risk of cascading systemic failure
Regulators tighten oversight of “operational incidents” that could ripple through the digital economy.
British regulators have set out new reporting requirements for operators of critical financial infrastructure, forcing them to disclose events that could trigger cascading disruption.
The rules reflect growing concerns about the potentially devastating impact of incidents at shared technology providers offering services such as cloud or payments, underscoring the risk that a growing concentration of shared infrastructure poses to systemic resilience.
Financial market infrastructures (FMIs) must now promptly notify regulators of serious operational incidents, submit detailed follow-up reports and disclose their reliance on critical third-party technology providers.
FMIs provide the core "plumbing" that enables money and securities to move safely through the financial system, making them critical to market stability. They include payment networks, clearing houses and settlement platforms.
Broadly speaking, an operational incident is any disruption that undermines an FMI’s ability to deliver critical services, protect user data or maintain trust in the financial system.
In its new policy on reporting for FMIs, the Bank uses scenarios including large-scale DDoS attacks on cloud providers to illustrate how operational incidents could disrupt critical services and spread through the financial system.
Regulators said phishing attacks that "compromise the confidentiality of sensitive or critical data belonging to an end user external to the FMI" may be events that need to be disclosed.
In other words: if something goes wrong at a third-party provider, financial firms need to assess whether it is an operational incident and promptly file a report if it disrupts services or meets reporting thresholds.
Another example of an incident the Bank wants to know about is "a large-scale distributed denial of service (DDoS) attack on a cloud service provider which causes significant disruption to the delivery of one or more of an FMI’s services."
Hunting black swans
The Bank defined an operational incident as a disruption of the delivery of a service to an FMI's external end user or an event that "impacts the availability, authenticity, integrity, or confidentiality of information or data".
The definition of an operational incident does not refer only to a disaster taking place in isolation, but also includes "linked events" of the type likely to cause cascading failures - a huge risk in a fragile, interconnected digital economy.
"The Bank would consider a ‘series of linked events’ to include those whose cumulative impact results in a disruption to the FMI’s operations," it wrote.
READ MORE: Financial tech raises systemic risk by accelerating bank runs, Bank of England warns
Other examples of operational incidents include:
Process failures: Events which "significantly disrupt the delivery of a service", including system failures that require a manual workaround, potentially leading to a "greater possibility of error in the processes being delivered".
System update failures: Problems with updates that "result in significant disruption of one or more services". This could also capture an "update that allows an important business service to continue functioning but increases its vulnerability to cyber attacks".
Infrastructure problems: Scenarios such as extended power outages or infrastructure damage from extreme weather that result in an FMI being unable to provide one or more of its services.
Vaccinating against contagion risks
FMIs are required to submit operational incident reports whenever an incident occurs that could pose a risk to financial stability, taking the risk of operational or financial contagion into account.
"The Bank expects FMIs to consider operational contagion, where an operational incident could cause operational disruption elsewhere in the financial system or the real economy," it wrote.
"An operational incident affecting the services of an FMI could leave them unable to transact with other FMIs or participate in financial markets. This could have knock-on impacts to the ability of the disrupted FMI’s counterparties to undertake their own activities. "
FMIs must also pay close attention to whether an operational incident could result in "further financial impacts" to their own business or across the financial sector. These can include disrupted liquidity flows, reduced access to funding and impaired price discovery across markets.
READ MORE: Dark pool trading is casting a shadow over market stability, researchers warn
FMIs must also consider whether incidents could erode trust, for example, through widespread disruption to retail payments that undermines confidence in the financial system.
The same requirement applies if an incident "risks its own reputation or the reputation of the financial sector, therefore impacting financial stability."
Examples of this include an outage that gets bad press or a third-party process failure that corrupts data, sparking more negative sentiment.
These new rules matter to firms because they increase scrutiny of outages, cyber incidents and technology dependencies that could disrupt services or damage market confidence.
As finance grows ever more reliant on common technology stacks, a single failure can now ripple across markets in seconds. The new reporting regime suggests regulators are increasingly uneasy about how much of the global financial system runs on infrastructure they do not directly control.
