Hot on the heels of Waking Shark II, a three day simulated cyber-attack exercise (organised by the Bank of England, the Treasury and the Financial Conduct Authority), the Bank of England has employed ethical hackers to attempt to strengthen cyber security of financial organisations. Known as Cyber Threat and Vulnerability Management, these commercially-provided hackers will be using the latest techniques to examine banks’ technology defences. We expect other national competent authorities to be interested in the results of this exercise.
The financial services industry is seen as a holy grail for cyber criminals. Banks are an enticing target, exacerbated by inherent vulnerabilities within the industry, such as a high-level of interconnectivity with third parties (including shared infrastructure and outsourced providers), and a large amount of technical complexity typically seen in legacy infrastructure. Indeed there have been a number of high-profile attacks on retail banks in the last few months alone, all of which have led to financial losses.
In response, in the UK, the Bank of England via the Financial Policy Committee has requested banks and infrastructure providers define ways to improve their defences within a “concrete plan”, similar to recovery and resolution plans. This request has been made at Board-level, recognising that cyber security should be treated as a strategic, not an IT issue.
The US authority has followed Waking Shark with a similar exercise, named Quantum Dawn, which resulted in similar findings such as a lack of a single co-ordination body and communication management during an incident. All NCAs need to ensure these resulting plans are not confined to the filing cabinet. Similar, more global exercises – rather than the single jurisdictional approach – need to be held regularly, to adapt to the continually evolving methods of attack. It will be interesting to see how the US and the EU will respond. In the future, could cyber protection be mandated by regulation?
To discuss this issue further, please contact: