Out-Law / Your Daily Need-To-Know

Cyber stress tests in UK payments market planned for 2019

Out-Law News | 29 Jun 2018 | 11:40 am | 1 min. read

Banks' payment systems will be subject to cyber stress testing in 2019, the Bank of England has announced.

The initiative will represent the piloting of a new stress testing approach being developed by the Bank's Financial Policy Committee (FPC) and will be based on standards that the FPC is to set around its expectations on how speedily firms should be able to restore "vital services" in the event they fall victim to a cyber attack.

The new standards and stress testing approach are expected to also be applied across other sections of the UK's financial services market in time too, although the incident modelling, the firms in scope, and the economic activities tested "will likely vary from test to test", the FPC said.

It said it "intends to calibrate its stress-testing scenarios to be severe but plausible".

The National Cyber Security Centre (NCSC) will be involved in shaping the cyber stress testing exercises, the FPC said.

"Firms undertaking this stress testing will need to demonstrate their ability to meet the FPC’s impact tolerance," the FPC said in its latest financial stability report (74-page / 6.15MB PDF). "In instances where that cannot be shown, remedial action plans will be agreed with supervisors."

"The FPC will work with other regulators to establish which firms would be in scope of stress testing. The scope is likely to vary, depending on the vital service that is being tested, and will take into account firms’ contribution to the function (measured by value, volume and/or market share), and interconnectedness," it said.

More details on the stress testing in payments will be published later this year, but firms will have a chance to "develop the pilot approach" in collaboration with the Bank and Prudential Regulation Authority (PRA), the FPC said.

"Disruption to one bank’s payments could have a direct impact on the real economy by impacting the ability of customers of that bank to pay for goods and services," the FPC said. "But a severe disruption to one bank’s ability to make payments may also have an impact on other firms initially unaffected by the incident which could impair interbank lending and, in turn, activities such as clearing, settlement or mortgage payments."

According to the recently published results from the Bank's systemic risk survey (8-page / 618KB PDF) for the first half of 2018, firms' fears about the risk of cyber attacks to the UK's financial system are at record high levels.

Of the firms surveyed on the views of risks to, and confidence in, the stability of the UK financial system, 62% cited cyber attack as a risk, up from 57% in the previous survey.

The same percentage of firms cited geopolitical risk, with only UK political risk (91%) more commonly cited – around 80% of respondents explicitly referred to the implications of Brexit.