Business Continuity Management in the Finance Sector

The financial sector is the backbone of society. The economic services they provide offer support to a broad range of business services that manage money and financial services, including but not limited to banks, credit card companies, credit unions, insurance providers, accountants, and investment funds. Such companies and individuals manage money on behalf of businesses of every size, not to mention private citizens. They need strong checks and protocols in place in the event of a disaster.

Business continuity threats in this sector are often global. They are rarely localised to a single region and can impact not just the business world but the everyday lives of the general public.

Financial institutions must have robust plans in place to bring their essential functions and services back online as soon as possible, regardless of the cause of the disruption. It is their responsibility to ensure that nothing stops people from accessing their money. Despite man-made threats such as physical and cyber-attacks, IT system outages and third-party supplier failure, and natural hazards such as fire, flood, severe weather and or an outbreak of disease, as we all experienced during the COVID-19 pandemic, services must be restored.

This is why business continuity management is so crucial in the finance industry. Let's take a look at some of the biggest threats this sector faces, and how operational resilience, compliance, and governance can help organisations combat such threats.

What Risks Do Financial Fraud & Cyber Threats Present?

Cyber-attacks and fraud are among the largest of the threats currently faced by the financial services sector. According to the UK government, across UK businesses, there were approximately 2.39 million instances of cybercrime and approximately 49,000 instances of fraud as a result of cybercrime in the last 12 months.

Fraud is a crime that the finance industry is committed to tackling, but it's also one that requires the combined efforts of every sector, both public and private, to overcome.

The UK government's 2024 cyber security breaches survey revealed that half of businesses (50%) and nearly a third of charities (32%) experienced some form of cybersecurity breach or attack in the last 12 months.

In October 2024, cryptocurrency payment processor Transak announced that it had experienced a data breach and security incident. Following a sophisticated phishing attack, the attacker used compromised employee credentials to log into a third-party KYC vendor used by Transak for document scanning and verification. The attackers were then able to gain crucial private customer information, such as names, dates of birth, photos, and ID documents, such as passports and driver's licenses. Transak did stress that no financially sensitive information such as passwords, credit card details, or Social Security Numbers was leaked in the breach.

This incident impacted 1.14% of their customer base (approximately 92,554 users). They have since released a statement to clarify their position and the follow-up actions they have taken to safeguard both their customers affected and the rest of their client base.

With hackers devising ever-more sophisticated methods for fooling employees and individuals into handing over valuable company data, businesses must use due diligence to stay two steps ahead of cybercriminals.

Whether you like it or not, every company now has to be a tech company, and the finance sector is embracing it. Cyber attacks and geopolitical risks are often the most cited among risks nominated by banks and financial institutions in the UK(*). Such attacks aren't just getting more frequent; they are also getting bigger and more expensive to mitigate. According to one survey, 65% of participating financial services organisations were hit by a ransomware attack in 2024, and the mean cost of recovery was $2.58 million.

Business continuity and disaster recovery plans are essential if services are to maintain critical operations and continue to successfully deliver services to customers. The impact suffered by unprotected systems can and will cause devastating effects on a company's life and reputation.

What impact can IT outage have?

87% of UK adults use a form of online or remote banking, accounting for 47 million people. When banks and other financial institutions experience an IT outage, that cuts thousands, if not millions, of people off from their money. Customers can't access their accounts via apps or online portals, and they may also be prevented from making payments, whether they are trying to pay online or in a physical store with their card.

This can, understandably, cause panic and mistrust in the bank, especially if the outage continues with little to no reassuring communication from the financial institution.

Just in January 2025, UK bank Barclays experienced a serious outage that affected both their online banking systems and customer apps. Not only did this coincide with payday for many Barclays customers, but it was also the deadline for self-assessment tax returns. This made it a crucial period where customers had to be able to access their bank accounts to provide accurate statements.

This period of delay caused a serious impact not just on the lives and business of Barclays' customers, but also on the reputation of the organization. If such outages become frequent, customer confidence will drop and could cause them to leave for competitors. What steps can financial institutions take to ensure they have a robust business continuity plan in place?

ISO 22301 - Business Continuity Management

Globally, ISO 22301 is the international standard for business continuity management. It was developed to provide a strict, standardised framework for how organisations approach business continuity.

When used properly, it can help financial firms identify and manage current and future threats, take a proactive approach to minimise the impacts of incidents, minimise downtime and improve recovery time, and demonstrate resilience to customers and suppliers.

Becoming certified to ISO 22301 offers organisations the opportunity to demonstrate their commitment to effective business continuity planning. Critical financial operations cannot be allowed to nose-dive and go under in the event of a disaster. Good business continuity management, when done to the level established by ISO 22301, is key in this prevention and planning.

Our expert business analysts can assist you through every step of the ISO certification process. Each stage can be aligned with the ISO standard and facilitated via our business continuity management software.

Understanding Governance & Resilience in the UK

Financial governance varies from region to region, and operational resilience is the universal ability of firms and the financial system as a whole to absorb and adapt to shocks rather than contribute to them. Despite being one of the most heavily regulated sectors, the finance industry has recognised the importance and benefits of having a mature business continuity management system in place to give not only a competitive advantage but also to protect its customers and suppliers and to add to the overall resilience of the industry.

The UK's operational resilience agenda is governed by multiple bodies. These include the Bank of England (BoE) and its internal Financial Policy Committee (FPC), Prudential Regulation Authority (PRA), and Financial Market Infrastructure (FMI) Board. Externally, the Financial Conduct Authority (FCA) and HM Treasury also play significant roles, working with the BoE to ensure the UK financial sector runs smoothly, efficiently, and effectively.

The Financial Policy Committee (FPC)

The FPC is responsible for identifying, monitoring, and addressing risks to the UK's financial systems. This includes the cyber resilience of the system and the likelihood of withstanding digital attacks. The FPC regularly revisits and reviews its existing policies on operational resilience. In doing so, they can account for the monitoring of new threats, technological shifts, and a change in priorities for the provision of vital services.

The Prudential Regulation Authority (PRA)

The PRA focuses on the safety and soundness of the financial firms it regulates. This also encompasses aspects of operational resilience. This organisation also emphasises the importance of the planning and testing of recovery and resolution plans.

The Financial Market Infrastructure (FMI) Board

Similar to the PRA, the FMI board also oversees the resilience of financial market infrastructures within the UK. They also oversee the risk management and supervision of these infrastructures, nominally including but not limited to payment systems, central securities depositories, and central counterparties (CCPs).

The Financial Conduct Authority (FCA)

The FCA collaborates with the BoE and PRA to assess sector-wide disruptions, coordinate responses, and deliver sanctions and fines where appropriate to enforce compliance with resilience regulations. They play a crucial role in ensuring critical financial services firms like banks and insurers have the protections and systems in place to protect market integrity and the interests of consumers.

HM Treasury

As the UK's economic and finance ministry, the Treasury is responsible for ensuring the overall stability and resilience of financial systems. It does not regulate firms as the bodies mentioned above do, but it plays a key strategic and policy-setting role that helps to govern how the other bodies approach operational resilience.

Working Together

Collectively, these organisations work together to make sure the UK financial sector runs smoothly, efficiently and effectively. In addition to supervising individual firms and FMIs, they also monitor wider industry standards and international stakeholders which could drive collective action and address systemic risks that could cause impact in the UK.

International stakeholders can include, among other parties, the financial regulation authorities of other countries and economic groups.

In the US, the Financial Industry Regulation Authority (FINRA) requires firms to create and maintain written business continuity plans (BCPs) relating to an emergency or significant business disruption. Many countries that operate in the European Union must subscribe to the Digital Operational Resilience Act (DORA). Even if an organisation is based in the UK, they must have adequate disaster recovery planning and risk assessment management in place to cover all jurisdictions they operate in.

C2 is your financial business continuity management partner

Every business now needs to be a tech company, but we recognise that not every business has the capacity to do so. Business continuity management isn't just a one-time thing. It is a continuous process that must be visited time and time again to ensure that regulatory standards are being met and best practices are in place.

Using a specific business continuity management system (BCMS) ensures that all information related to business continuity is kept in one place. Personnel will know that protocols are accurate and up-to-date so that a response can be delivered timely if an incident should occur.

Let C2 be your safeguarding partner. Our Meridian BCMS is built for resilience professionals by resilience experts and can be built to meet the specifications of your business whether you are in the financial sector or another industry. Our resilience experts will also be ready to advise you on any business continuity or operational resilience issues you may have. Whether you wish to gain certification in ISO 22301 or just manage your BIAs more effectively, let our experts help you achieve your goals.

Contact us for a consultation and a demo of our Meridian software today. Let's ensure your financial organisation always operates with continuity and compliance in mind.