The Bank of England has released a consultation on a new rule for central counterparties relating to incident reporting. BoE currently has a supervisory expectation that CCPs promptly notify it of any operational incidents as soon as reasonably practicable, including any incidents that affect the security of their information technology systems.
While this is not a formal rule at present, in practice, it means CCPs contact BoE in the event of an incident and keep it updated at regular intervals until the incident is resolved. Other UK financial market infrastructures (FMIs) follow a similar approach.
BoE is proposing to introduce a new rule for CCPs which will formalize some aspects of the current supervisory expectation in relation to the reporting of operational incidents. The proposed rule is intended to supplement existing practices by requiring a CCP to report certain incidents to BoE.
The notification requirement would cover any incident, including a physical event, affecting the security of a CCP’s information technology systems that had a significant impact on continuity of services provided. The inclusion of physical events is common to most international standards; for example, the PFMI covers Physical and Information security and ISO 270001, the National Institute of Standards and Technology Framework and the Cloud Controls Matrix cover cyber and information technology systems.
The proposed rule requires a CCP to report an incident as soon as reasonably practicable after it becomes aware of the incident. A CCP is also required (either concurrently or as soon as reasonably practicable after providing notification of an incident) to provide information which would allow the Bank to determine any impact of the incident, such as financial, operational or legal.