US, UK big banks to simulate mega-hacker cyber-attack
Worried insurers and others don't bother with securo probes
A mock exercise will take place this month to test how major banks respond to a major cyber attack, according to a newspaper report.
The joint UK and US initiative, Operation Resilient Shield, will be "the most sophisticated test … yet" of the way industry communicates and coordinates its efforts in response to cyber security incidents, the Telegraph reported.
The exercise has been in planning for months. The UK and US announced their intention to participate in a joint cyber security exercise in the financial services sector in January.
Previous cyber security exercises have been coordinated by the Bank in the UK.
The "Waking Shark II" desktop cyber attack simulation was carried out in November 2013. The exercise involved approximately 100 people representing around 30 financial services organisations gathered in one room and was designed to assess what the likely impact of a major cyber attack would be on the investment banking industry and financial market infrastructure, including payment systems. The exercise tested the lines of communications between companies as well as their interaction with regulators as the scenario was unfolding.
In February 2014 the Bank revealed the results of the Waking Shark II test. It said the exercise had identified a lack of "central industry coordination" on sharing financial sector information and communicating to the public. Participants suggested that a single body could fulfil this role in future. The Bank released cyber security test materials based on the Waking Shark II exercise to help organisations practice how they would respond to a major cyber attack on the banking system.
The latest planned simulation comes as recently published minutes from a meeting of the Bank of England's court of directors on 16 September provided detail on some of the efforts being taken to improve "cyber resilience" within the UK's financial services sector, including by the Bank itself.
According to the minutes, directors at the Bank are concerned that banks, insurers and other financial service companies are not obliged to participate in the voluntary CBEST programme, a cyber security testing initiative. However, Andrew Gracie, executive director of resolution at the Bank, said that cyber security testing is "becoming close to mandatory" for big financial firms.
In July, the Bank reported that industry concerns about potential cyber attack on the UK's financial system were at its "highest recorded level". In August the Prudential Regulation Authority asked UK insurers to provide it with details of their "cyber resilience".
Last year the Financial Policy Committee (FPC) at the Bank said that cyber security is not just a technical issue that the board of directors at UK banks can ignore.
Copyright © 2015, Out-Law.com
Out-Law.com is part of international law firm Pinsent Masons.