Bank of England testing banks’ resilience against cyber-attacks
9 November 2018
Back in July, the Bank of England, along with Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) gave UK-based banks a period of three months to demonstrate their resilience to operational challenges and to show how they could prevent disruptions from taking place.
“The challenges for operational resilience have become even more demanding given a hostile cyber-environment and large-scale technological changes. As recent disruptive events illustrate, operational resilience is a vital part of protecting the UK’s financial system, institutions, and consumers,” the FCA said.
It added that a disruption caused by a cyber-attack, failed outsourcing or technological change could threaten the viability of certain firms and, in turn, harm the interests of consumers, lending banks, and other participants in the financial system. As such, banks and financial institutions needed to strengthen their protocols to ensure they could tolerate and overcome disruptions in the future, regardless of the cause of such disruptions.
War-gaming cyber resilience of UK banks
Earlier today, the Bank of England announced a one-day “war-gaming exercise” in partnership with HM Treasury, the FCA, UK Finance and dozens of other organisations “to test the financial sector’s resilience to a major cyber incident impacting the UK.”
“This exercise forms a vital part of the sector wide biennial process that seeks to ensure the industry is prepared for – and can respond effectively to – any major disruption stemming from a cyber Incident, protecting the financial system on which the public relies,” Bank of England said in a statement.
“The exercise will help authorities and firms identify improvements to our collective response arrangements, improving the resilience of the sector as a whole,” it added.
“Financial institutions are particularly at risk from cyber threats, simply due to the amount of sensitive data and money they store. With customer interactions, processes and services increasingly moving online, the industry cannot afford cybersecurity – or a lack of it – to become a stumbling block further down the line.
“Better intelligence sharing and improved co-operation within the financial services industry is vital to managing cyber risk, so it’s great to see this mix of organisations working together to test the UK’s financial system,” says Kirill Kasavchenko, Principle Security Technologist at NETSCOUT.
“The results of today’s drill will reveal what work remains to be done, but what is important from a DDoS perspective is that the full scale of attack types and techniques are considered. To add further complexity, DDoS attacks are also not launched just for the sake of bringing a resource down. They can also be designed to shift the focus of the defenders, so it’s ‘easier’ for hackers to exfiltrate data undetected.
“This is why every financial services organisation must implement layered security to mitigate attacks of different sizes and complexity, as well as strengthening visibility and threat detection capabilities across internal networks. That way DDoS attacks can be contained without disruption, but we can also see whether other attacks are being carried out in parallel – so the true scale of the attack is known,” he adds.
Repeated warnings from financial watchdogs
A few years ago, Bank of England had issued a warning to banks and financial institutions in the UK, stating that core banking services could be seriously disrupted by cyber-attacks and as such, firms needed to ensure cyber risk was seen as a “strategic priority” in the boardroom – rather than a “narrow technology issue”.
Therefore, the Bank believes that periodic reviews of cyber-preparedness of UK-based banks and financial organisations would provide a clear picture of how prepared such organisations are to respond to emerging cyber threats and damaging targeted attacks.
Last year, the Financial Conduct Authority (FCA) had also warned that the process of changing account data of customers by leading banks in the UK such as separating core services like savings accounts from investment banking could place such data at risk of being accessed by unauthorised hackers. The banks were doing so to secure customer deposits by ring-fencing them and separating them from riskier accounts like investment banking.
“In creating a new system that houses personal data, you’re opening up security holes. The impact of an indiscriminate attack can be substantial,” said James Tedman, managing director in London at ACA Aponix to Bloomberg.
He added that even though the leading banks were aware of such risks, they should have practiced extreme caution as attacks could come from ‘well-financed and sophisticated criminal groups’ rather than 15-year-olds in their bedroom.