Concern over attack on banks' 'data integrity'

Out-Law News | 20 Jun 2019 | 10:32 am | 3 min. read

Cyber attacks that corrupt data held by banks could cause "maximum damage" to financial stability in the UK, a member of the Financial Policy Committee at the Bank of England has warned.

Professor Anil Kashyap, external member of the Financial Policy Committee at the Bank of England, told the Treasury Select Committee earlier this week that he worries more about "data integrity" attacks than "denial of service" attacks that cause banking systems to go offline temporarily. He said it is only a matter of time before a major data integrity incident occurs.

"The one I personally worry about more is a data integrity breach where somebody penetrates your system, is in there, doing malicious things for months, let's say, you find out about it at some point and then you have this difficult decision where you have to restore the system where you could be restoring a corrupt system – where the act of coming back online basically destroys the ability to go forward," Kashyap said.

"That problem, as best as I can tell, doesn't have an analogy in any other regulatory domain I can think of – where you know you are sick now but you don't know when you became sick and you don't know how far along you are. Usually in these regulatory problems there's an analogy – you can say 'well we do food safety this way or nuclear proliferation that way', [where] we have models we draw on. For the data integrity thing we are kind of in new territory," he said.

"If you wanted to do maximum damage [a data integrity attack] is what you would probably do if you were a state actor. Imagine you wanted to try to threaten the integrity of the UK's financial system, what would be the biggest way to do it? I think this would be something that would be on the table. If you think of the worst case this is pretty scary… If you think it is a state actor I don't know if you can expect any individual firm to be able to defend itself," Kashyap said.

Angus McFadyen

Angus McFadyen


... there is no way to absolutely guarantee the security of systems – no organisation has a bottomless budget and so risk-based decisions are required.

Kashyap told the Treasury Select Committee that the UK has a global leading framework for "probing resilience" and that a second round of penetration testing under the Bank of England's CBEST scheme is scheduled.

Financial services and technology law expert Angus McFadyen of Pinsent Masons, the law firm behind Out-Law, said that other regulators in the UK are subjecting financial institutions to scrutiny in relation to cybersecurity issues. He said that the Financial Conduct Authority (FCA) has listed cyber risk and incident management as focus areas for firms in the past two years.

"Recent high profile outages experienced with ATMs, card payments and online banking bring banks a great deal of criticism from customers and regulatory pressure," McFadyen said. "As the comments made by Anil Kashyap highlight, though, there is recognition that there is no way to absolutely guarantee the security of systems – no organisation has a bottomless budget and so risk-based decisions are required. This is consistent with the proportionality provided for in the General Data Protection Regulation (GDPR), in terms of the security measures to be implemented to protect personal data, and within the FCA's Handbook principles too."

Data protection and cyber risk experts at Pinsent Masons said earlier this month that the GDPR's tight deadline for reporting personal data breaches together with a lack of detailed regulatory guidance on reporting and the threat of multi-million pound fines has changed the risk environment for organisations and has led to a dramatic increase in data breach notifications to the UK's Information Commissioner's Office (ICO).

The ICO recently revealed that it had received around 14,000 personal data breach reports from organisations between 25 May 2018, the date the GDPR became effective, and 1 May 2019.

McFadyen said the increased focus that 'big tech' is getting from financial regulators is also noteworthy. He said their presence in the market as both financial service providers in their own right as well as in terms of the increasing reliance placed on them by incumbents, including in the context of cloud-based services, is likely to be subject to increasing scrutiny as their technology and services "become critical components of the financial market infrastructure".

In his evidence to the Treasury Select Committee, Kashyap said the Bank of England has "explicitly warned about" and is monitoring the risks associated with multiple banks choosing the same provider of cloud services and those services by "knocked" offline.