UK finance sector: IT security testing 'becoming close to mandatory'

Voluntary in name only

Regulators are nearly at the point of requiring major financial services companies to participate in a cyber security testing programme, according to the Bank of England.

Minutes from a meeting of the Bank's court of directors on 16 September (10-page / 45KB PDF) provide detail of some of the efforts being taken to improve "cyber resilience" within the UK's financial services sector, including by the Bank itself.

Directors at the Bank "expressed concern" that banks, insurers and other financial service companies were not obliged to participate in the voluntary CBEST programme, a cyber security testing initiative. However, Andrew Gracie, executive director of resolution at the Bank, said that companies were being put under pressure to engage with CBEST.

"The industry tended to focus on conventional attacks that might cause consumer loss, while the potential threats to financial stability were typically more complex and insidious," the Bank's minutes said. "Directors expressed concern that CBEST testing remained voluntary. Mr Gracie said that was the formal position, but the supervisors were making participation a clear expectation and in practice it was becoming close to mandatory for the bigger firms."

A market-wide cyber security exercise is scheduled to take place next year and regulators have been discussing the importance of cyber security being a board room issue for companies with the companies themselves, particularly in relation to governance, according to the minutes.

The Bank is available to "provide technical and intelligence back-up as necessary" to financial services companies that fall victim to a successful cyber attack, they said.

In July, the Bank of England reported that industry concerns about potential cyber attack on the UK's financial system were at its "highest recorded level". Last year the Financial Policy Committee (FPC) at the Bank said that cyber security is not just a technical issue that the board of directors at UK banks can ignore.

Details of the measures the Bank has been taking to improve its own cyber resilience were outlined by its chief information security officer William Brandon at the September meeting. Brandon said that external threats to the Bank's IT security have been increasing but that the Bank had made "significant progress … in applying controls" to safeguard the information.

"A £20mn three-year investment programme had been agreed in 2013 and there had also been a substantial increase in day-to-day resources in the IT Security and Information Security Divisions, with an uplift of 74 FTE staff," the minutes said. "Technical controls put in place had strengthened the Bank’s ability to prevent, detect and respond to attacks. But no technical fix could guarantee security 100%, so at the same time significant effort had been made to improve security awareness among all staff, and incident handling procedures had been strengthened."

Staff at the Bank participated in testing designed to raise their awareness of phishing attacks. As a result "fewer now took the bait and many more reported suspicious traffic", the minutes said.

Separately, the minutes also noted progress in relation to the "implementation of the recommendations" made by Deloitte in its review of the real-time gross settlement (RTGS) payment system IT outage incident that occurred in October 2014. The outage caused delays to the processing of 142,759 CHAPS payments valuing a total of £289.3 billion.

Among its recommendations, Deloitte called on the Bank to set out a technical strategy for the RTGS system after finding that the "introduction of design and functional defects as part of the functionality changes" to the RTGS in April 2013 and February and May 2014 had been behind the system outage on Monday 20 October 2014.

According to the minutes, the Bank is "on track" in implementing Deloitte's recommendations and the Bank's RTGS Strategy Board is monitoring that activity. The Board has been "improving the strategic oversight and governance around RTGS", it said.

"This included improvements to the testing strategy and the change approvals process, and completing the technology risk review," the minutes said.

Copyright © 2015, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.




Biting the hand that feeds IT © 1998–2018