UK Banks Get One Year to Devise Cyber Attack Protection Plan

The Bank of England (BoE) and the UK Treasury are responding to concerns about the vulnerability of UK lenders to computer hackers by requiring board directors to draw up plans to address the issue within the next six months.

As part of the process, the BoE itself will be “reviewing its own resilience”, according to minutes released of last month’s meeting of its financial policy committee (FPC).

In the minutes, the FPC refers to ‘complex legacy IT systems’ at UK banks as a potential vulnerability, as well as the financial system’s “high degree of interconnectedness [and] reliance on centralised market infrastructure”.

Treasury officials are reported to be working on plans to assess, test and improve the system’s resilience to cyber attacks. However the FPC, chaired by Mark Carney who took over as BoE governor on 1 July, wants a ‘concrete plan’ in place before April 2014, with a progress report available by the end of this year.

Peter Armstrong, director, cyber security sector, Thales UK, said the BoE and Treasury’s concern “echoes the sentiments of the KPMG report earlier this year which highlighted the current high level of naivety in the market regarding cyber security.

The KPMG report, issued in August, warned that the next systemic shock to the financial system could come from a ‘new breed of cyber attack’. It found that online account fraud rose 12% last year and that there had been a rise in revenge hits by hackers.

“The FPC have warned that this issue must be tackled at director level within the banking industry , and there is a growing need for companies to acknowledge that cyber security is not just an IT issue, but a business issue,” said Armstrong. “If businesses haven’t realised this, their organisation is already on the back foot.  The consequences of cyber attacks are now so severe that cyber defence must become a board room discussion where companies explore what measures need to be put into place to ensure they are acting proactively – not reactively.

“In order to remain poised to react to this evolving threat landscape, banks must continually assess their defence capabilities and employ best practice cyber maturity models to centre around continuous policy evaluation and adaptation. Organisations that prepare for the FPC’s 2014 compliance deadline now are the ones that will gain a competitive edge.”

Proactivity Needed

Alex Fidgen, director at consultancy MWR InfoSecurity, commented: “While the issue of improving security is a complex one, it should be focused around an asset-based approach. Emphasis has to be made in protecting key industry infrastructure, such as payment systems, by blocking all attack paths leading to it, and this can only be achieved by thorough assessment of a company’s assets.”

“In order for the finance industry to understand where security can be improved, they must adopt assessments that replicate some of the attack methods used by more sophisticated attackers, which are often state sponsored.”

He added: “If they miss this stage out, they will not identify how best to defend and will not only waste funds and resources protecting the wrong assets but they will be at serious risk of being hacked.”

Fidgen said that these sorts of measures should apply not only to UK banks but also to any financial institution operating in the European Union (EU), especially as the EU still provides Safe Harbour.

The adoption of advanced defensive programmes is likely to provide these financial institutions with a competitive advantage.

Fidgen added: “More to the point, a demonstrable defence programme will enable financial institutions to pro-actively satisfy regulatory authorities that their asset book can be value assessed accurately, and potentially argue for lower capital to asset ratios under legislation such as Basel III.”



Related reading