The Bank of England has published findings from its Waking Shark II security exercise, which tested the financial sector’s contingency plans for cyber attack.
The Bank of England report showed progress had been made since previous exercises, and said the industry had demonstrated communication and co-ordination across different financial agencies.
The Waking Shark II cyber security exercise, held on 12 November 2013, was a rehearsal for the wholesale banking sector, including investment banks and key financial market infrastructure.
Waking Shark II was organised by the Securities Industry Business Continuity Management Group, which designed a scenario in which a cyber attack caused disruption to wholesale markets and the financial infrastructure supporting those markets.
It involved participants from investment banks, financial market infrastructure, the financial authorities and the relevant government agencies. The exercise tested the communication between firms and between companies and the authorities. It aimed to improve understanding of the impact of a cyber attack on the participants and the wider financial sector.
Stephen Bonner, a partner in KPMG’s Information Protection and Business Resilience team, said that fear of damaged reputations and stuttering share prices had prevented organisations sharing information about cyber breaches in the past.
“But the days of isolationist thinking have long since disappeared, as an attack on one institution can lead to the exposure of commercially sensitive details for another,” Bonner said.
Other cyber security news in the banking sector
- Operation Waking Shark 2 is good, but is it enough?
- Bank of England and Treasury set banks cyber security deadline
- Cyber attacks top banking risk, says Bank of England
- UK government launches cyber threat data-sharing partnership
- CIO interview: John Finch, CIO, Bank of England, on the IT behind UK monetary policy
- CIO interview: Simon Moorhead, Bank of England
“When anyone is under attack it’s always too easy to get caught in the moment and focus on self defence, but the onus must be on collaboration. Rather than hide when things go wrong, they should inform those that need to know – doing so will put attackers on the back foot and ensure partners and suppliers can take the necessary steps to ensure waking sharks are put to sleep.”
The report identified areas of further improvement, including looking into creating a single co-ordination body from industry to manage such communications during an incident, as well as co-ordination from the Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA).
The report noted there was some communication between participants and good communication with authorities, but it was identified there “is no formal communication coordination within the wide sector”.
The authorities will provide further clarification on the respective roles of the authorities, government agencies and the sector in general in responding to major cyber events.
The Cyber Security Information Sharing Partnership (CISP) platform will continue to be enhanced and organisations will be reminded of the importance of reporting attacks to the appropriate authorities.
Bonner said: “The fact is that the rising number of attacks shows that cyber vulnerabilities must be taken seriously.
"We’ve seen requests for help more than doubling in the past 12 months suggesting that the recognition is there, but awareness doesn’t equal resolution.
"Waking Shark II has shone a welcome light on current vulnerabilities, but that doesn’t mean it is safe to ‘get back in the water’. Hackers see each barrier as a challenge to be beaten, meaning that constant vigilance and testing is vital if financial organisations are to remain secure.”