Cyber threats 'merit UK bank board room attention'

Out-Law News | 17 Dec 2014 | 2:06 pm | 1 min. read

Cyber security is not just a technical issue that the board of directors at UK banks can ignore, the Financial Policy Committee (FPC) at the Bank of England (the Bank) has said.

In its new Financial Stability Report (74-page / 1.67MB PDF), the FPC said that "all core firms and financial market infrastructures have submitted a self-assessment on cyber resilience" to City regulators and that the results highlighted some areas for improvement, which includes the way in which banks view cyber threats.

"Although these assessments have not revealed any critical shortcomings at this stage regulators have noted some areas for improvement, including a tendency among firms to view cyber threats as a ‘technical’ problem – rather than as an issue which merits board-level attention given the evolving nature of cyber threats and the key importance of cyber resilience to continuity of financial services," the report said. "Supervisors are working with firms to agree timetables for remediation."

Banks' self-assessment of cyber resilience is part of a broader vulnerability testing programme that the companies are involved in, according to the report. The FPC said that core businesses in the financial services industry have been working within the CBEST framework. CBEST, which launched in May, is the UK government's national cyber security programme.

"CBEST is a framework for delivering controlled, bespoke cyber security tests, using the expertise of government and commercial intelligence providers to simulate the types of threat that systemically important financial institutions face," the report said. "The findings of both the self-assessments and CBEST will together form the basis for specific and concrete action plans for firms. Some firms have begun the process of CBEST testing."

The FPC said there is "a need for core firms and financial market infrastructures to conduct CBEST vulnerability testing as soon as practicable in order to enhance the resilience of the financial system to cyber threats".

The risks arise because of the "deliberate actions of malicious (and potentially sophisticated) actors, who adapt their strategies in response to defensive measures taken by firms and regulators". To addressing the evolving threat, banks should "take steps to ensure their defences remain up to date" and ensure cyber security is "a strategic priority" within the board room, the FPC said.