ra2 studio - stock.adobe.com
The Bank of England (BoE) and the Financial Conduct Authority (FCA) have given the UK finance sector three months to explain how they can avoid damaging IT breakdowns and respond to the growing threat of cyber attacks.
The move comes just over a week after a Bank of England report in which cyber attack was cited as a risk by 62% of respondents to the biannual survey from the UK financial services regulator.
Although Brexit was seen as the biggest risk, more than half (51%) of respondents that said cyber security is the most challenging risk to manage. “Firms have primary responsibility for their ability to resist and recover from cyber attack,” the BoE report said.
If financial sector firms fail to demonstrate adequate backup plans by the deadline, regulators could require them to increase investment in making their systems more resilient.
The FCA and the BoE emphasised that responsibility for ensuring the resilience of financial firms sits with senior management, who will be held accountable in the event of prolonged disruption.
Leo Taddeo, chief information security officer at security firm Cyxtera and former FBI special agent, said there are some “good reasons” to worry about a nation state or hacktivist cyber attack on the financial sector.
“In 2012, US banks suffered a series of significant distributed denial of service (DDoS) attacks by Iranian state actors. While it’s important to build resilience, enterprises also need to stay ahead of the threat by continuously monitoring all available sources, including social media and dark web sites,” he said.
Stuart McKenzie, vice-president for Europe for Mandiant at FireEye, said the regulators’ initiative is welcome because while cyber has long been on the risk register of most organisations, greater rigour and understanding is needed in the boardroom.
“Cyber attacks are an increasing issue, and while many organisations have put in place procedure and practices to deal with specific types of attacks, few consider the wider implications and the interdependencies of systems.
“I would encourage boards to ask difficult questions of how the organisation would deal with a destructive attack and rebuild from a complete loss,” he said.
It is important to develop a cyber strategy and test it regularly, added McKenzie. “We need to test the effectiveness of the controls with proactive testing such as red teaming, but additionally organisations need to test their assumptions with a complete review of the security posture on a regular and ongoing basis.
“Educating the boardroom on both the risks and their roles in a cyber crisis through role playing, a scenario builds muscle memory and allows the organisation to be better prepared when faced with an actual event,” he said.
Sean Newman, director at Corero Network Security, said the BoE report focuses on establishing standards for resilience to cyber risks.
“The report reinforces that financial organisations have a ‘primary responsibility for their ability to resist and recover from cyber incidents’, with responsibility for conformance all the way up to board level and the levels of cyber resilience expected being based on the judgement of independent experts, such as the National Cyber Security Centre.
“And, although there is a suggestion that two days is an acceptable limit for disruption to a service, this is caveated by the fact that there is also a strong emphasis on cyber attack protection, to avoid the need to recover in the first place,” he said.
Dan Pitman, senior solutions architect at security firm Alert Logic, said the concepts of disaster recovery, cyber threats and business continuity are intrinsically linked through business risk. “But too often, they are considered separate by businesses,” he said.
“Banks and other financial services underpin our economy and enable the public and businesses to operate. They have a duty to ensure that disruption from any source, be it technological, process-based or malicious, is planned for and demonstrable to customers, partners, and governing organisations.”
A risk-based approach
Dan Sloshberg, director of product marketing at email security firm Mimecast, said the growing dependence on operational IT services, from payment processing technologies to cloud email in Office 365, requires a risk-based approach to building cyber resilience.
“This response involves combining a defensive strategy with an ability to get back up and running quickly, with minimum disruption and zero data loss. This should be paired with alternative access routes to key systems like email so businesses can keep on running – even when the worst happens,” he said.
Echoing the view of many in the security industry, Sloshberg said WannaCry was a wakeup call and highlighted the disruptive power and scale cyber attacks can have on our critical national infrastructure.
“Organisations can also learn from the new NIS Directive,” he said. “This legislation clearly signals the move away from pure protection-based cyber security thinking. Robust business continuity strategies have never been more important to ensure organisations can continue to operate during an attack and get back up on their feet quickly afterwards.”