The Regulator should regulate infrastructure
Following the debut of the Digital Operational Resilience Act (DORA), which proposes that the Regulator should regulate infrastructure and is due to be ratified by the EU this year. The ISITC Europe debate on the subject of ‘Should the Regulator interfere in infrastructure, took place last week hosted by Metro Bank. The audience was made up of senior practitioners from across the Capital Markets, in true ISITC Europe style. A panel of experienced senior industry professionals; James Crask from Marsh, Monica Sasso from Redhat, Steve Marshall, ex Nomura and Steve Yates from The Resilience Association were ably chaired by Alastair Hodge from Cloudsoft. They were invited to respond to the motion “The Regulator should not interfere with infrastructure”
For the Motion
Two members of the panel presented for the motion. They argued that firms had to take responsibility for the decisions they made and be held accountable by the Regulators. Firms should know that it is inevitable that systems/services or businesses will fail, but measures should be in place to resolve this quickly. The firm’s appetite for risk when using 3rd parties should be decided by the Board and not the Regulator. However, it was vitally important that all Board Members understood fully about the technology and services their organisation was using. This should be evidenced by having controls and a framework in place.
The point was made that it would be difficult if not impossible for the Regulators to police all the 3rd party service providers and their providers and so on. So the relationship with the Regulator should therefore remain with the regulated firm, as is currently the case.
Against the Motion
The points against the motion were strongly agued. There are good reasons why the regulator should interfere. Large organisations cannot always be trusted to do the right thing and put the consumers’ needs first. Someone needs to advocate for the consumer and that should be the Regulator. If regulators don’t go to the source of the problem, they are putting consumers at risk. Senior executives are not sufficiently briefed on technology risk within organisations.
Data is a key component, often firms don’t know where or how their data is being processed. There has been a massive growth in data centres, with some major outages. Not all outages were due to cyberattacks, but were down to hardware issues and even fires. Banks are now looking at putting their legacy systems on the cloud. Cloud is a super highway of information. We are now in a hybrid world and in time, IT companies will become more important than banks and therefore should be regulated. The point was made that if regulators don’t go to the source of the problem, i.e. the 3rd parties, they are putting consumers at risk.
The presentations were well crafted, powerful and compelling. Laying out all the issues related to the motion and drawing the audience into a very lively discussion that left no stone unturned in the interrogation of the panel. Questions put to the panel and discussed included : Can the regulators help to give more transparency around data? Are we ready for regulation? Shouldn’t all utilities be regulated? One member of the audience pointed out, that there is no common language between regulators and the suppliers. So can we craft regulation that actually solves the outcome? Regulation is an evolution. How can we set a framework of dialogue to continually evolve that? If you over regulate what happens to innovation?
The audience felt that it was important, if not imperative that regulators regulated infrastructure as the threats to society were increasing and the financial markets were an obvious target for attack. Also the technological developments were challenging the industry. The debate came to a close with the vote, which was overwhelming win against the motion; the Regulator should regulate infrastructure!
Have your say!
If you have a view or want to engage in this discussion, or other Resilience related issues feel free to leave your comment below or perhaps enquire about joining our Resilience and Cloud Services Forum