
BoE publish high level findings of the financial sector (“sector”) cyber simulation exercise.
Exercise overview
The exercise explored the sector’s resilience to a major cyber incident impacting the UK. Alongside the Bank of England & PRA, Financial Conduct Authority and HM Treasury, participants included 29 market leading firms and Financial Market Infrastructures. Participants responded to a severe cyber-attack scenario targeting the sector, resulting from a protracted operational outage of a Global Systemically Important Bank. The exercise demonstrated the sector’s ability to respond to a dynamic and challenging disruption simulation.
The scenario was designed to test:
- The effectiveness of the sector response framework in enabling a coordinated response to a cyber attack; and
- The effectiveness of the UK Finance (financial sector trade body) communications process for developing a sector communications strategy.
Findings
The exercise highlighted a number of key takeaways:
- Co-ordination at an operational level – participants agreed that impacts and responses were coordinated and discussed effectively at the strategic level. It was highlighted however that improvements could be made at an operational level;
- Disparity in risk tolerance for suspending services – in the case of system integrity issues, participant decision making, and risk appetite for suspending services varied significantly. Such inconsistency would likely have significant knock-on effects to the market and real economy as a whole.
- Restoring data and recovering service – the current ability of participants to support another operationally paralysed bank is limited due to the different ways in which data is stored. The disparity currently restricts contingencies from being used to benefit of the sector as a whole.
- Communication practices – the exercise recognised the importance of effective communications in maintaining customer and market confidence in the system. It demonstrated that use of UK Finance’s incident management communications framework and coordination has significantly improved collective communications.
Conclusions
In recent years, data and IT security issues have risen to the top of most financial and corporate risk registers. Attackers are continuously developing new methods to gain entry, making sustained and widespread operational disruption one of the most significant challenges faced by the UK Finance Sector. Whilst the findings highlight that the sector has taken certain steps to mature and better prepare itself against cyber threats, it is clear that inconsistencies in approach mean the sector remains at risk. Further collaboration appears to be particularly required in the improvement of cross-sector communication and co-ordination as well as the development of industry guidelines and good practice for managing potential controlled suspension of services and system integrity risks.