In its latest 'Financial Stability Report', the Bank of England has warned that most UK financial institutions are still viewing online security threats as 'technical' issue, rather than one that should be tackled at board-level.
The report reveals recommendations the BoE made to government last June, which specifically urged companies in the financial sector to “put in place a programme of work to improve and test resilience to cyber-attack.”
“The FPC received an update on work by HM Treasury, the Bank and regulators to enhance cyber-resilience. All core firms and financial market infrastructures have submitted a self-assessment on cyber-resilience, and these have been reviewed by the regulators. Although these assessments have not revealed any critical shortcomings at this stage regulators have noted some areas for improvement, including a tendency among firms to view cyber-threats as a ‘technical' problem — rather than as an issue which merits board-level attention given the evolving nature of cyber-threats and the key importance of cyber-resilience to continuity of financial services. Supervisors are working with firms to agree timetables for remediation.”
The BOE has also urged companies to embrace the CBEST framework and undertake regular tests to review and improve their resilience. This report comes shortly after Cabinet Office minister Francis Maude urged companies that cyber-security is an ‘issue for the boardroom'.
“It is an issue for the boardroom,” he said at the launch of GCHQ's Cryptoy Android app. “If you sit on the board and you don't have your chief information security officer's number on your phone, now is the time to add it."
In response to the comment, Chris Sullivan, VP Advanced Solutions at Courion, adds in an email to press: "Francis Maude talks eminent sense but the question to ask is why haven't boardrooms made IT security a top agenda item much earlier. Data breaches that have shaken reputations and triggered financial losses aren't a new phenomenon. Indeed Sony was attacked over two years ago and back then there were similar calls for enterprises to take IT security more seriously.
"A CISO needs to move from a focus on security to business risk. In other words, be responsible for ensuring that the business understands the risks it is taking, aligning IT and security spending according to that risk appetite, and delivering the capability to quickly understand and respond when risk changes or an adverse event is realised. Taking this high level stance elevates the Information Security Executive to a role where they are included in, and integral to, business discussions with C level executives.”