Eric DeGrass
March 13th, 2025
Executive Summary
This article examines the Digital Regulation Cooperation Forum (DRCF) and its cross-regulatory approach to operational resilience, as demonstrated in a recent case study on third-party software defects. The FCA, Ofcom, ICO, and CMA collaborated to highlight how software failures, vendor outages, and IT misconfigurations can disrupt financial services, telecommunications, and consumer protections, necessitating a unified regulatory response.
The article explores how the DRCF’s findings align with global regulatory trends, including DORA (EU), FFIEC (US), CPS-230 (Australia) and OSFI B-10 (Canada), signaling a broader movement to recognize third-party software risks as systemic threats. It underscores the DRCF’s role in providing clarity and consistency in regulatory expectations, ensuring that software reliability and service continuity are treated with the same urgency as cybersecurity.
The conclusion emphasizes the importance of cross-regulatory collaboration in addressing emerging risks across industries. By working together, regulators can create a stronger, more resilient digital ecosystem, ensuring that operational failures do not lead to widespread disruptions. The DRCF’s work serves as a model for future regulatory cooperation, helping industries and policymakers align on best practices for managing third-party software risks.
In an era where digital interdependencies span multiple sectors, ensuring operational resilience has become a regulatory imperative. The Digital Regulation Cooperation Forum (DRCF), a collaboration among Ofcom, the Financial Conduct Authority (FCA), the Information Commissioner’s Office (ICO), and the Competition and Markets Authority (CMA), has set a new standard for regulatory cooperation.
Through its AI and Digital Hub, the DRCF is not only addressing the risks posed by emerging technologies but also emphasizing the need for resilience beyond cybersecurity. Its recent case study on third-party software defects brings clarity to an issue that cannot be overlooked: operational failures caused by non-security software flaws can be just as disruptive as cyber threats, and regulatory oversight must reflect this reality.
The DRCF case study examines the impact of third-party software defects on business continuity and regulatory compliance. The findings confirm that disruptions from software flaws, vendor outages, and IT misconfigurations should be treated with the same level of concern as cybersecurity incidents.
The key takeaways include:
Operational resilience is not just about cybersecurity. While cyber threats remain critical, non-security software failures—such as unpatched defects, flawed system updates, and vendor service outages—pose equally significant risks to financial services, telecommunications, and consumer protection.
Regulatory compliance extends to software reliability. Organizations are expected to manage third-party software dependencies proactively, ensuring that failures do not result in service outages, financial instability, or breaches of data protection laws.
Cross-sector impact requires cross-regulatory cooperation. Because third-party software failures can affect multiple industries simultaneously, a siloed regulatory approach is insufficient. The DRCF’s collaborative framework allows regulators to align their guidance across sectors, ensuring consistency in expectations.
Each of the DRCF’s participating regulators provides a different but complementary perspective on how third-party software failures should be addressed:
FCA (Financial Conduct Authority): Operational resilience rules (SYSC 15A) require financial institutions to identify, assess, and mitigate risks associated with third-party software—whether those risks stem from security flaws or non-security defects that could disrupt business continuity.
Ofcom: The UK’s communications and digital infrastructure regulator mandates that telecom providers maintain service availability, including addressing risks from software defects that impact network stability.
ICO (Information Commissioner’s Office): Under UK GDPR, organizations must ensure the confidentiality, integrity, and availability of personal data, which includes mitigating risks from software failures that could compromise data accessibility.
CMA (Competition and Markets Authority): Consumer protection laws prohibit misleading claims about the reliability of digital services, reinforcing the obligation for vendors and service providers to manage software risks transparently.
This unified stance highlights a critical shift: operational resilience is no longer confined to any single regulatory domain.
The DRCF’s approach to third-party software risk management aligns with broader regulatory movements worldwide:
Europe: The Digital Operational Resilience Act (DORA) mandates that financial institutions assess, test, and mitigate risks associated with IT service providers.
United States: The FFIEC and SEC are expanding operational resilience guidance to cover third-party vendor failures alongside cybersecurity threats.
Canada: OSFI B-10 strengthens expectations for financial institutions to manage risks stemming from external IT providers.
Asia-Pacific: The Monetary Authority of Singapore (MAS) and the Hong Kong Monetary Authority (HKMA) are integrating IT resilience into their broader financial stability frameworks.
Australia: CPS 230 is an Australian Prudential Regulation Authority (APRA) standard that sets risk management requirements for banks, insurers, and superannuation funds, emphasizing governance, accountability, and resilience to operational risks.
This global regulatory alignment underscores the growing recognition that third-party software failures are not isolated incidents but systemic risks that demand structured oversight.
The DRCF’s work is an important example of regulatory innovation, demonstrating how collaborative oversight can clarify complex issues and lead to more effective risk management across industries.
By bringing together multiple regulators, the DRCF ensures that critical software-related risks do not fall through the gaps between different regulatory domains.
Going forward, this kind of cross-regulatory alignment should serve as a model—not just in the UK but globally. As digital ecosystems continue to evolve, regulators must work together to ensure that software resilience, vendor accountability, and operational continuity remain at the forefront of compliance expectations.
The DRCF case study is just the beginning—and we hope to see more initiatives that bridge regulatory gaps and provide clear, actionable guidance on emerging risks.
Gary Harrison
March 13th, 2025
Eric DeGrass
March 13th, 2025
Eric DeGrass
August 20th, 2024
Sign up to receive a monthly email with stories and guidance on getting proactive with vendor risk
BugZero requires your corporate email address to provide you with updates and insights about the BugZero solution, Operational Defect Database (ODD), and other IT Operational Resilience matters. As fellow IT people, we hate spam too. We prioritize the security of your personal information and will only reach out only once a month with pertinent and valuable content.
You may unsubscribe from these communications at anytime. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, check out our Privacy Policy.