January 23rd 2014- At the Cyber Defence and Network Security conference, London, Andrew Gracie, executive director, Bank of London gave a speech (.pdf) about the cyber threat that looms over the Financial sector. He said that the sector must contemplate the possibility that core functions in firms, the financial market infrastructure that links them together or the supply chains that support them, may be damaged in a cyber attack, either through the corruption or loss of data or outright loss of systems.
As opposed to physical threats he said, detection of a cyber threat may be more difficult as the symmetry of information is different and the mechanisms to deal with cyber threats are insufficient. In response to the rise in the potential threat to UK financial stability from cyber, the Financial Policy Committee (FPC) in June 2013 recommended that the UK authorities should work with firms at the core of the system to test and improve cyber resilience. In response to this the BofE has conducted a cross-sector review of current risk management practices with regards to cyber and vulnerability testing via CBEST.
36 firms comprising the core of the financial sector were issued questionnaires providing a detailed self assessment by firms of how they organise their cyber defences. Its purpose was to enable UK authorities to take stock of resilience across the sector and identify best practice across firms. The firms included the largest UK and foreign banks active in London and the key payment and settlement systems, clearing houses and exchanges that together are critical for delivery of the financial services that the wider economy depends on.
And given the importance of these firms to the stability of the financial system, Andrew insisted on a level of resilience that goes beyond basic cyber hygiene but aims instead to ensure that firms are in a position to manage Advanced Persistent Threats (APT) that are the hallmark of some state-sponsored attackers.
Outlining the risks pertaining to a cyber attack, Andrew stated that “we should expect the cyber threat to be ever-present, ever-evolving and networks to be penetrated. The capability to identify where this has occurred and to respond is key.”
Part of this is active engagement with threat intelligence to understand likely adversaries, their motivations and ways of working. For all these reasons, addressing cyber risk in the financial sector is a high priority for the Bank of England.
(image credit: Richard)