The Bank of England's latest Financial Stability Report (FSR), issued on July 1, cites cyber-risk (pages 31–33) as an area of increasing concern with increasingly frequent cyber-attacks potentially causing disruption to the banking system.
It calls on defence measures to go beyond technology, for reaction plans to be drawn up and advocates the use of CBEST to identify vulnerabilities, whilst also adding that improved governance and risk management are needed to implement these measures in order to improve resilience.
The report notes how a UK government survey this year found that 90 percent of large businesses across all sectors had experienced a malicious IT security breach in the previous year. Respondents to the Bank's Systemic Risk Survey put cyber-risk as a key concern over the past two years, and the World Economic Forum has identified large-scale cyber-attacks as one of the high-impact risks most likely to crystallise over the next ten years.
The report notes how defensive capability should focus on IT and non-IT vulnerabilities, saying: “A common failing was viewing cyber-risk as a purely ‘technological' issue, without recognising that people matter as much as technology."
Under-investment in companies' ability to detect cyber-attack was seen as creating a risk that firms react to attacks too slowly, or misdiagnose incidents of disruption as internal IT failures rather than deliberate attacks. Also, defensive capabilities need to extend to the suppliers and infrastructure that the financial system relies on, hence thorough due-diligence for third party suppliers.
Because data corruption from cyber-attacks can spread between connected systems, the report advises segregation between primary and backup systems, unlike in other business continuity threats, where building immediate system backup capacity entails closely connected backup systems for rapid resumption of services.
Strong governance is called for at the most senior levels of banks to build capability in defensive resilience and enable recovery across technology and personnel. So the independent Financial Policy Committee (FPC) called for regulators to establish a regular assessment of the resilience to cyber-attack of firms at the core of the financial system. It says this should include penetration testing, with CBEST tests becoming one component of regular cyber-resilience assessment within the UK financial system as well as adoption of individual cyber-resilience action plans. Ways of managing this risk must evolve in line with the nature of the threat and as well as looking to build defensive resilience to threats, and firms must build the capability to recover quickly from cyber-attack, given the inevitability that attacks will occur.
Evolving defensive resilience and recovery across the financial system is to be looked at further, particularly at firms providing critical services to the financial system, including via international co-operation, with a report on progress to be published by summer 2016.