Simulated large-scale hacking attack tests banks' response to major cyber security incident

Out-Law News | 12 Nov 2013 | 2:11 pm | 2 min. read

The way that banks and other financial services companies react to a major cyber attack from a large group of hackers has been put to the test in a cyber security exercise carried out in London.

The Bank of England (BoE), the Treasury and the Financial Conduct Authority (FCA) are participating in the exercise, which has been organised by Credit Suisse and was designed by investment bankers with the aid of cyber security experts.

The desktop exercise involved approximately 100 people representing around 30 financial services organisations gathered in one room and was designed to assess what the likely impact of a major cyber attack would be on the investment banking industry and financial market infrastructure, including payment systems, a BoE spokesperson told Out-Law.com.

The exercise also tested the lines of communications between companies as well as their interaction with regulators as the scenario was unfolding, they added. Results from the exercise are expected to be published in early 2014.

Andrew Miller, chief operating officer at Corero Network Security, said that he hoped the exercise would encourage banks to cooperate with one another more to repel cyber attacks.

"I personally believe that there needs to be more information sharing within financial organisations on the latest threats and attacks they are facing so they can develop a knowledge pool on how to protect against them," Miller said. "Every organisation has a different approach to cyber security and no one approach is right or wrong. Those organisations that work together to develop comprehensive defences are far more likely to remain secure than those that 'go it alone'."

Miller said that it was important that the participants in the exercise learn from any weaknesses identified so that they can continue doing business as normal should they experience a real cyber attack.

John Yeo, director of information security provider Trustwave in Europe, the Middle East and Africa (EMEA), said that it can take months for organisations to realise they have been the victim of a data breach.

"Whilst the forward planning aspect of this exercise is beneficial in helping organisations understand the threats they could face, the crucial component that needs to be addressed is the execution," Yeo said. "It is crucial that businesses have the proper security controls in place so that they can not only help prevent an attack but also, if an attack occurs, they can identify it and respond in an appropriate and measured manner. They also need to understand the techniques they should execute in order to restore their business, in order to minimise the impact of such an attack."

In 2011 a similar exercise tested how financial services companies would respond to a cyber attack if it occurred during the 2012 London Olympics.

Earlier this month the Bank of England announced that it had created a new role of Chief Information Security Officer in a move it said "reflects the importance the Bank attaches to information security". It said at the time that the new CISO, Don Randall, would be tasked with dealing with cyber threats as part of his role.