Cyber attack testing material made available to banks to use in their own simulations

Out-Law News | 24 Sep 2014 | 3:12 pm | 1 min. read

UK financial institutions have been given access to cyber security test exercise materials by Bank of England (the Bank) to help them practice how they would respond to a major cyber attack on the banking system.

The materials are based on the 'Waking Shark II' cyber attack simulation exercise that some banks, other financial institutions and regulators participated in last year.

"Organisations have the option to utilise the information provided in the presentation in whatever way provides most value to their company/firm," the Waking Shark II Steering Group said, according to exercise materials (1-page / 106KB PDF) published by the Bank. "This has been made available by the Steering Group for the benefit of non-participant organisations or firms to use in running their own internal exercises to improve preparedness and response to cyber threats."

The test material describes a cyber security attack on bank systems (41-page / 588KB PDF) apparently orchestrated by a militant state. The attack is focused on overloading bank servers and has the effect of disrupting the availability of the bank's "client portals and websites" as well as corrupting closing prices on the financial markets. Various other scenarios relating to operational issues, IT security, the accuracy of market data and payment processing problems are also presented as the simulated cyber attack scenario develops within the exercise.

The exercise is set within a fictional volatile economic environment where trading activities on the financial markets are higher than normal and where stock prices are fluctuating. The exercise materials encourage banks to assess the impact of the attack on them and their customers and what they would do to manage risk.

The 'Waking Shark II' cyber attack simulation was carried out last November. The desktop exercise involved approximately 100 people representing around 30 financial services organisations gathered in one room and was designed to assess what the likely impact of a major cyber attack would be on the investment banking industry and financial market infrastructure, including payment systems.

The exercise also tested the lines of communications between companies as well as their interaction with regulators as the scenario was unfolding.

In February this year the Bank of England revealed the results of the Waking Shark II test. It said the exercise had identified a lack of "central industry coordination" on sharing financial sector information and communicating to the public. Participants suggested that a single body could fulfill this role in future.

The British Bankers' Association (BBA) was identified as a possible candidate for "[managing] communications across the sector during an incident", according to the report.