BoE asks UK banks and financial institutions to prove their cyber resilience
9 July 2018
Banks and financial institutions in the UK have been given three months by the Bank of England, Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) to demonstrate their resilience to operational challenges and to show how they can prevent disruptions from taking place.
A discussion paper published by the three institutions is now mandating banks and financial institutions to define the amount of disruption that could be tolerated, considering that major disruptions impact financial stability by posing a risk to the supply of vital services on which the real economy depends.
“The challenges for operational resilience have become even more demanding given a hostile cyber-environment and large scale technological changes. As recent disruptive events illustrate, operational resilience is a vital part of protecting the UK’s financial system, institutions and consumers,” the FCA said.
Failure to overcome disruptions will not be tolerated
It added that a disruption caused by a cyber-attack, failed outsourcing or technological change could threaten the viability of certain firms and, in turn, harm the interests of consumers, lending banks, and other participants in the financial system. As such, banks and financial institutions need to strengthen their protocols to ensure they can tolerate and overcome disruptions in the future, regardless of the cause of such disruptions.
A recent example of a major disruption was the prolonged outage of TSB’s banking systems after a weekend upgrade of the systems went horribly wrong. The disruptions began when TSB started shifting customer records from Lloyds’ online systems to its own and resulted in TSB account holders not being able to access their online banking accounts.
Commenting on the initiative taken by the Bank of England, Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) to force banks and financial institutions to strengthen their cyber defences and to prepare for eventualities, Dan Sloshberg, Director Product Marketing at Mimecast, said that the institutions have clearly highlighted that banks and other financial services providers are responsible for continuity, both when running IT systems in-house and when outsourcing to cloud service providers.
“The growing dependence on operational IT services, from payment processing technologies to cloud email in Office 365, requires a risk-based approach to building cyber resilience. This response involves combining a defensive strategy with an ability to get back up and running quickly, with minimum disruption and zero data loss. This should be paired with alternative access routes to key systems like email so businesses can keep on running, even when the worst happens,” he said.
“WannaCry was a wakeup call and highlighted the disruptive power and scale cyber-attacks can have on our critical national infrastructure. Organisations can also learn from the new NIS Directive. This legislation clearly signals the move away from pure protection-based cybersecurity thinking. Robust business continuity strategies have never been more important to ensure organisations can continue to operate during an attack and get back up on their feet quickly afterwards.
“Now we just need to see the Bank of England clarify which services are integral to continuity. Should all elements be considered, and the impact of downtime be properly assessed, we would expect key communications systems like email to be explicitly mentioned in their guidance,” he added.