Financial institutions and regulators consider single body to 'manage communications' during cyber attacks

Out-Law News | 06 Feb 2014 | 4:15 pm | 2 min. read

A new group could be created within the financial services sector to "manage communications" across industry during a widespread cyber attack, the Bank of England (the Bank) has said.

The Bank said that the designation of a "single coordination body from industry" to perform the role would be considered in a report charting the outcome of a cyber attack exercise (10-page / 714KB PDF) conducted within the financial services sector in London in November last year. The British Bankers' Association (BBA) may fulfil the role, it said.

"It was noted that there is no central industry coordination for financial sector information sharing and communication to the wider public and it was suggested that consideration should be given to allocating this role to a single coordination body from industry (possibly the BBA) to manage communications across the sector during an incident," the Bank said in its report.

"A number of the participants stated that they were unclear as to the process for communication with regulators in the new institutional framework and some dual-regulated firms were unaware that notification to both regulators was a requirement," it said.

There were approximately 220 individuals who participated in the 'Waking Shark II' exercise. They represented regulators such as the Bank and the Financial Conduct Authority (FCA) as well as the Treasury and a range of businesses operating across the sector.

The way that banks and other financial services companies would respond to a major industry-wide cyber attack from a large group of hackers was put to test, not individual organisations' own "cyber response mechanisms", the Bank said. Their response to cyber attacks on both a "technical level" and "from a business perspective" was examined, it added.

The exercise included simulated 'distributed denial of service' (DDoS) attacks on financial institutions' websites and other online-facing systems, attacks on banks' payment systems and attempts to "wipe" data held on firms' systems. The exercise also tested how the industry would respond to attacks affecting financial markets pricing data, the report said.

DDoS attacks typically involve hackers using malware-infected computers to bombard systems with such large amounts of traffic that they cease to function.

Future cyber attack testing within London's financial services industry may involve service providers, such as BT, according to the report.

"With representatives from all the major UK wholesale banks and the UK authorities participating, supported by key industry experts, Waking Shark II successfully challenged the sector in a realistic manner," the Bank's report said. "The lessons learned will not only influence the finance sector’s preparedness for a real-life cyber-event, but also serve as an example of how other sectors in the UK’s finance industry can test their own capabilities in the future."

In a separate announcement (2-page / 132KB PDF), the Government also revealed that senior department officials had held talks earlier this week with regulators about how to better coordinate to protect against cyber attacks on "the essential services on which we all rely".

In its announcement the Government said that both it and regulators are responsible for helping businesses that operate 'essential services' to address cyber security challenges.

Among the measures the Government and regulators agreed to take include encouraging more businesses to review whether their cyber security meets Government-backed guidelines. They will also encourage those 'essential service' providers to compel their suppliers to adhere to a new organisational standard for cyber security backed by the Government.

The regulators will also seek to improve information sharing by businesses operating within their sectors on "threat, vulnerabilities and mitigation strategies" relating to cyber security and will monitor the state of cyber security in their sector and work with industry to address vulnerabilities, the Government said.