Barclays digital banking services become first to obtain UK government's cyber security certification

Out-Law News | 08 Jul 2014 | 10:21 am | 1 min. read

High street bank Barclays has become the first major organisation to be certified under the UK government's new cyber security programme, the Cyber Essentials Scheme (CES).

Gotham Digital Science (GDS), a member of CES accreditation body CREST, issued the award to Barclays for its digital banking products MyBarclays, BMB and Pingit. To be certified, the company had to complete a questionnaire and go through an external perimeter vulnerability scan to identify any security flaws in its systems that could be taken advantage of by outsiders.

"We identified this new government scheme as an important part of our plans to help customers in the digital age transact completely safely and securely," said Philip Sowter, Barclays' director of mobile banking. "We are pleased to be involved with the scheme and to have been recognised by the Cyber Essentials Certification."

The company will now work with GBS towards a Cyber Essentials Plus certification. This is the second level of certification available under the scheme, which offers a higher level of assurance.

The CES opened for applications in June and builds on previous recommendations the UK government put in place to help businesses reduce their vulnerability to cyber attacks. As part of the scheme, businesses can obtain certification for the cyber security measures that they are responsible for when outsourcing IT services, including to a cloud provider. They can also obtain certification for the security of their 'bring your own device' (BYOD) policies.

Businesses can apply for either a 'cyber essentials' certificate or a 'cyber essentials plus' certificate under the scheme. A 'cyber essentials' certificate is issued if a business self-assesses its own compliance with the government's guidelines (17-page / 513KB PDF) and its assessment is independently verified. A 'plus' certificate is only available if a business allows the cyber security measures that it has in place to be independently tested for compliance with the guidance.

Once awarded a certificate under the CES, businesses can display the Cyber Essentials badge on their websites to demonstrate to their customers that they comply with a certain level of good practice guidance.

CREST has also worked with the Bank of England to develop a voluntary framework, specific to financial services firms, which will allow firms to carry out cyber security tests that replicate the behaviours of typical threats experienced by systemically important financial institutions. CBEST, which was officially launched last month, is the first initiative of its type to be led by any of the world's central banks, according to CREST.