The Bank of England has teamed up with the Treasury, the Financial Conduct Authority and not-for-profit organisation CREST to develop a framework for delivering cyber security tests and benchmarking for UK financial services providers.
The framework, dubbed CBEST, is also aimed at enabling firms to share threat intelligence. Ultimately, its objective is to assist the boards of financial firms, infrastructure providers and regulators to improve their understanding of the types of cyber-attacks that could threaten the UK’s financial stability. It will also focus on the extent to which the UK financial sector is vulnerable to attacks.
Andrew Gracie, executive director, resolution at the Bank of England, told delegates at the British Bankers’ Association’s Managing Cyber Risk conference today that sophisticated cyber-attacks pose a growing threat.
Ian Glover, president of CBEST, suggested that while existing penetration testing services in the financial services sector have provided a good level of assurance against traditional attacks, they do not address more sophisticated cyber-attacks on critical assets.
“CBEST tests have been designed to replicate the behaviours of serious threat actors, assessed by government and commercial intelligence providers as posing a genuine threat to important financial institutions,” he said.
The Bank of England is seeking to form partnerships with commercial suppliers of threat intelligence and security testing services to help establish a best practice approach to defining and executing the tests.
“Essentially the threat intelligence service suppliers will provide threat intelligence to security testers, augmented by government support, which will use it to target their attacks,” said James Chappell, CTO at Digital Shadows, a cyber-intelligence firm that has also worked on developing the CBEST framework.
The Bank of England, the Treasury and FCA had teamed up previously – in November 2013 – with UK banks for Operation Waking Shark II, a simulated cyber-attack that aimed to test their defences.
In the same month, the Bank of England revealed that several of the UK’s banks had been hit by cyber-attacks in the preceding six-month period, which had led to firms suffering financial losses.