top of page

CyberCare by STORM Guidance

UK Operational Resilience: Understanding PS16/24 & SS6/24 for Critical Third Parties

PS16/24 & SS6/24 - Purpose of the Regime

These papers establish a regulatory framework for designating and overseeing Critical Third Parties (CTPs) that provide material services to UK financial institutions—especially cloud service providers, data analytics firms, and other tech vendors.

The objective is to Ensure systemic resilience in the event of ICT disruptions affecting CTPs.

Cyber Incident Exercise Requirements

Mandatory Scenario Testing

  • CTPs will be required to carry out scenario testing (including cyber incident exercises) as part of their resilience obligations.

  • This must simulate severe but plausible disruptions to:

    • ICT services (e.g. ransomware, DDoS, data corruption)

    • Cross-client/cross-sector incidents

    • Cascading failures or supply chain disruptions

Types of Exercises Expected

  • Tabletop exercises

  • Technical simulations (e.g. red/blue teaming)

  • Cross-sector/cross-client coordination exercises

  • Crisis communication and decision-making tests

Testing Objectives

  • Assess incident response, communication, and recovery processes

  • Evaluate continuity of services to multiple financial entities simultaneously

  • Detect single points of failure and test recovery within tolerance levels

Governance & Documentation Requirements

  • CTPs must:

    • Maintain a testing framework and testing plan

    • Document outcomes and lessons learned

    • Use findings to improve resilience controls

  • Boards or equivalent governance bodies of CTPs must oversee the planning, execution, and follow-up of these exercises.

Regulatory Oversight

  • UK regulators (BoE, FCA, PRA) can:

    • Request access to test outcomes and documentation

    • Mandate additional exercises if existing ones are inadequate

    • Coordinate sector-wide simulations, with mandatory participation from CTPs

  • Regulatory powers include investigation, direction, and enforcement under the FSM Act.

What This Means in Practice

  • CTPs must integrate a structured cyber incident testing program aligned with their UK client base.

  • Testing must simulate multi-client impacts—a shift from traditional client-by-client risk models.

  • Financial firms relying on CTPs may need to participate in joint tests or review CTP test reports.

  • Firms should revise vendor due diligence and contractual clauses to reflect these obligations.

CyberSimulate

If you're implementing or auditing cyber resilience in line with UK CTP or other Operational Resilience requirements, our CyberSimulate service will provide a structured program of cyber incident exercises that:

  • Escalates in complexity over time,

  • Includes involvement from third parties, including CTPs, where relevant,

  • Encourages CTPs to exercise their plans with fourth parties,

  • Integrates learnings into operational and incident response plans.

Contact the CyberCare team

If you would prefer to speak to the team, give us a call:

UK/Europe: +44-203-693-7480

Africa: +230-434-1277

USA: +1-703-232-9015

Your contact details will only be used in connection with this enquiry. Please read our Privacy Policy.

bottom of page