The UK's biggest banks and financial institutions have been given a deadline of six months to come up with a credible cyber attack plan.
The move, spearheaded by the Bank of England, has been driven by fear that the banks are vulnerable to a Doomsday scenario where an external cyber attack or a trusted insider could cripple their critical payments systems – which would impact on millions of customers being able to receive salaries or pay their mortgages.
As a result, the bank's main Financial Policy Committee (FPC) – chaired by Bank of England Governor Mark Carney – has called on the boards of directors of the UK's biggest retail banks and financial institutions to take charge of their own cyber attack strategy. They must deliver a progress report by November and a fully fledged defence plan by the end of Q1 2014.
At its last meeting, the FPC heard that the threat to the UK financial system's resilience to cyber attacks “had many dimensions and was growing. The financial system had a number of potential vulnerabilities, reflecting its high degree of inter-connectedness, its reliance on centralised market infrastructure, and its sometimes complex legacy IT systems”.
The FPC agreed the next step must be “for the boards of the relevant supervisory bodies to ensure that there was a concrete plan in place to deliver a high level of protection against cyber attacks for each institution at the core of the financial system”.
As part of that, the Bank of England will be reviewing its own resilience.
Banking security expert Martin Jordan, head of cyber response for KPMG UK, explained: “The Bank of England would like everybody to up their game in terms of a cyber attack.”
He told SC Magazine that the initiative could stem from an outage at a ‘large UK bank' a year ago. “I think that focused the minds of the regulators to remind them there are key choke points within the UK network. They just realised that if one bank fails, or the payment system within a bank fails, it does have repercussions for other banks.”
Jordan said that an external or insider attack that affects one bank also impacts that “bank's facility to make payments to other banks – to pay people's mortgages, people's salaries – and the knock-on effects to the economy can be quite severe”.
He believes the major banks are facing up to a Doomsday scenario where they “have a major catastrophic back-end failure in the bank caused by malicious hackers, and at the same time a denial-of-service attempt. I think they are trying to pose the question, 'What will happen in a perfect storm?'”
He believed the Bank of England's initiative “is aimed squarely at the retail banks, simply because they are the first point of contact with UK citizens”.
The scheme is being managed for the Bank of England by the Treasury and the financial sector's two main regulators: the Prudential Regulation Authority (PRA), which polices around 1,700 financial firms, and the Financial Conduct Authority (FCA), which supervises 26,000 firms.