• Industry: Financial Services
  • Type: Regulatory update
  • Date: 7/22/2014

Cyber security – the wider European agenda 

Cyber security continues to be a hot topic and is likely to be on the agenda at the forthcoming G20 summit. There has been a lot of activity in the UK around cyber, with the Bank of England (BoE) employing ethical hackers to attempt to strengthen cyber security of financial organisations. European firms that are not already engaged in this topic should be, as it is likely to be an issue for European regulators – and given the close working relationship between the BoE; the Prudential Regulatory Authority; and the ECB, this is likely to have an impact on pillar 2 capital requirements.

Hot on the heels of Waking Shark II, a three day simulated cyber-attack exercise (organised by the Bank of England, the Treasury and the Financial Conduct Authority), the Bank of England has employed ethical hackers to attempt to strengthen cyber security of financial organisations. Known as Cyber Threat and Vulnerability Management, these commercially-provided hackers will be using the latest techniques to examine banks’ technology defences. We expect other national competent authorities to be interested in the results of this exercise.

The financial services industry is seen as a holy grail for cyber criminals. Banks are an enticing target, exacerbated by inherent vulnerabilities within the industry, such as a high-level of interconnectivity with third parties (including shared infrastructure and outsourced providers), and a large amount of technical complexity typically seen in legacy infrastructure. Indeed there have been a number of high-profile attacks on retail banks in the last few months alone, all of which have led to financial losses.

In response, in the UK, the Bank of England via the Financial Policy Committee has requested banks and infrastructure providers define ways to improve their defences within a “concrete plan”, similar to recovery and resolution plans. This request has been made at Board-level, recognising that cyber security should be treated as a strategic, not an IT issue.

The US authority has followed Waking Shark with a similar exercise, named Quantum Dawn, which resulted in similar findings such as a lack of a single co-ordination body and communication management during an incident. All NCAs need to ensure these resulting plans are not confined to the filing cabinet. Similar, more global exercises – rather than the single jurisdictional approach – need to be held regularly, to adapt to the continually evolving methods of attack. It will be interesting to see how the US and the EU will respond. In the future, could cyber protection be mandated by regulation?

To discuss this issue further, please contact:

Rhys Hermansson


Share this

Share this

Sign up now

Subscribe to receive the latest Financial Services Regulatory updates (you must select the option for FS regulatory updates)

Already a member? Log in

Not a member? Register