In its latest Financial Stability Report, the Bank of England (BoE) said it would work with the UK’s National Cyber Security Centre to run “cyber stress tests”.
These “severe but plausible” attack simulations would be designed to test financial services companies’ ability to recover in the event of major cyberattacks, with their resilience to be measured against a defined set of minimum recovery standards. As part of the exercise, participants would also be measured on how long it would take for ‘material economic impact’ to happen after an attack.
The BoE described the exercise as “impact tolerance” and said its ultimate goal is to mitigate “systemic risk” to the overall financial system. In particular, the BoE is said to be especially concerned that disruption or downtime to one bank’s payments could have extended repercussions for the wider industry and the economy as a whole. For example, if the customers of given bank were unable to pay for goods and services as a result of the security disruption, this could cause a ripple effect, spreading to other receiving banks and negatively affecting interbank lending. As such, one incident could suddenly hit banks’ abilities to manage clearing and/or settlement.
The bank said it will consult with firms to collaborate on a pilot approach of stress test cyber resilience in 2019 and interestingly added that organizations failing these tests will face remedial action plans to improve their security posture.
Stress tests should be standard in an increasingly hostile cyber climate
The BoE has been here before of course, rolling out everything from cybersecurity questionnaires to launching and testing against the CBEST framework, which is designed to act as a guide to vulnerability testing.
At the other end of scale, they have also run the widely-publicized Waking the Shark exercises in the past, with banks facing simulated attacks and being charged with collaborating with other participants (read: fellow banks) to detect, mitigate and respond to incidents proactively.
This latest move should be applauded for many reasons; the BoE’s continued focus on ‘stress testing’ banks’ security environments can only be a good thing for continuity and improving IT infrastructure (practice makes perfect after all), while it also means banks are better equipped to manage the newest and most dangerous security risks.
After all, in its most recent Systemic Risk Survey, published alongside the Financial Stability Report, 62% of banks cited cybersecurity as a key source of risk, up from 51% a year ago. This made it the second biggest risk, behind ‘UK political risk’ (Brexit) as cited by 91% of respondents.
Indeed, the BoE has recently put the threat facing banks in plain terms: “I would like our firms to be on a WAR footing: withstand; absorb; recover,” said Lyndon Nelson, deputy chief executive of the BOE’s Prudential Regulation Authority, in a recent speech.
Recent outages in the UK with Visa and TSB have illustrated the fragility of IT systems and what that can mean for customers, corporations and the local economy, as banks globally face an ongoing deluge of attacks, from the basic to the state-sponsored.
We, of course, wholeheartedly agree that more needs to be done to ensure the security of financial organizations world over. But the exercise of measuring cyberattack recovery in plenty of cases is putting the cart before the horse, like measuring how to recovery from a home break-in before putting locks on the doors. How meaningful is that stress testing if financial organizations don’t have the correct tools to protect themselves and their customers in the first place?
To this end, Protector Air employs full transaction stack protection, which protects individual digital transactions between customers and web applications, regardless of whether customer endpoint devices have been compromised. Used by banks around the worls, the cloud-based, patented solution prevents transactional fraud without the user even being aware it’s there. Click one of the buttons below to learn more.