Under the central bank’s newly unveiled framework for identifying cyber risk, CBEST, government intelligence will be used by private security firms and licensed computer hacking companies to identify the vulnerabilities of individual financial institutions.
CBEST will then replicate the techniques used by hackers to devise a test to see how successful an attack on a bank might be or whether its defences are resilient enough to repulse it.
Threadneedle Street has acted after last year’s recommendation from its financial policy committee (FPC) to test the resilience of the financial system to cyber-attack.
Andrew Gracie, the Bank’s executive director of resolution, told a meeting of the British Bankers Association, the industry’s trade body, that the results of the test “should provide a direct readout on a firm’s capability to withstand cyber-attacks that on the basis of current intelligence have the most potential, combining probability and impact, to have an adverse impace on financial stability.
“Low-level attacks are now not isolated events but continuous. Unlike physical attacks that are localised, these attacks are international and know no boundaries.”
As well as monitoring developing credit bubbles in Britain’s banking system and promoting economic growth, the FPC is also responsible for detecting and forestalling systemic risk.
It comes as internet security major McAfee yesterday put the global cost of cyber-crime at £266 billion. Industry experts say the Bank’s plans to investigate banks’ defences are more sophisticated than the internal tests banks currently use on their IT systems, which are more generalised rather than surgical strikes.
Participation is voluntary, but Gracie told the BBA meeting he expected take-up of the tests to be significant. “Cyber risk is not just for technology specialists. This is part of a broader issue of how organisations defend themselves against attack,” he said.
Gracie added that as the attacks were international rather than localised, digital defence “has become not a matter of designing a hard perimeter that can repel attacks, but detecting where networks have been penetrated and responding effectively where this occures”.
CBEST was set up last month but not publicly announced until yesterday. Andrew Wingfield, a financial services lawyer at King & Wood Mallesons SG Berwin, said the threat of electronic attacks and their impact had grown as online banking takes hold with a large section of the population.
“The UK’s ability to deal with such attacks will determine how it is viewed globally in terms of investment and its position as a worldwide leader in financial services,” Wingfield said.