UK Banks Prepare for new Waking Shark Exercise

UK banks will launch the most extensive cyber threat exercise in two years as the authorities test the preparedness of the financial system to survive a sustained online attack.

The exercise, dubbed Operation Waking Shark 2, is scheduled for mid-November with the UK’s high street bank expected to take part in a one-day ‘war game’ simulating the impact of a major cyber attack on the payments and markets systems.

An outside consultant has designed and will lead the test, to be monitored by the Bank of England (BoE), UK Treasury and watchdog the Financial Conduct Authority (FCA). It will assess the ability of the UK’s core financial services providers to withstand attacks by cyber criminals as well as state-sponsored terrorist attacks.

The exercise comes two years after the now defunct Financial Services Authority (FSA) launched the first Operation Waking Shark initiative to test the strength of online defences.

“It is vitally important that cyber security tops the priority list for IT departments within the UK’s financial service organisations – so the news that capabilities in the UK will be tested is welcome,” said Dorian Wiskow, client managing director, financial services, Fujitsu UK and Ireland.

“Not only are banks operating with legacy systems that in some cases have been in existence for many years, it is also a sector where innovation across new banking channels, such as online and mobile, is creating complex multi-channel IT infrastructures.

“Chief information officers [CIOs] in the banking industry are facing an unenviable challenge – securing these multi-channel environments while ensuring customer experience does not suffer – and this is an incredibly difficult challenge to overcome. What is paramount here is that the industry does not overlook or get complacent about security or place it in the ‘too big to fix’ category.

“Research we carried out revealed that security does not feature in the top three CIO priorities. With the sophistication of cyber-attacks and the number of threats increasing exponentially – can the industry afford for it not to be the number one priority?”

Darren Anstee, solutions architect team manager at Arbor Networks, commented: “Running regular exercises to evaluate incident response is hugely important.  Any organisation can be a target for a cyber-attack, but banks are a particular target due to the very nature of their business and the key part they play in the economy.  

Banks are targeted frequently, and with increasingly sophisticated multi-tool, multi-vector attacks; whether the attacks are motivated ideologically or for financial gain the onus is on the financial industry to protect the availability and integrity of their systems – and they should be testing their processes frequently, on a per organisation basis, to ensure this.

“It’s an ever-changing battlefield and our defences must evolve continuously. Co-operation and information sharing are key as they allow us to best prepare based on other’s experience. Exercises such as this should facilitate improved inter-organisation communication and information flow, and that can only be a good thing.” 

Earlier this month it was reported that the BoE’s financial policy committee (FPC) had given UK banks a one-year deadline to devise a robust cyber attack protection plan.


Related reading