Bank of England Sets up Cyber Crime Unit

The Bank of England (BoE) has stepped up measures to combat cyber crime by introducing new measures to help banks detect and counter hacking.

Andrew Gracie, executive director for resolution, said that the BoE had last month launched a new framework entitled CBEST, which was developed in collaboration with the Council of Registered Ethical Security Testers (Crest). It was now going public with the new framework, which will be voluntary.

CBEST will combine intelligence from government and security companies to assess risks to the financial system. It will then apply bespoke tests to see whether banks’ security systems are vulnerable. Gracie said that unlike current cyber threat systems, the new framework would replicate threats that are already being used by criminals.

“Unlike physical attacks, which are likely to be localised, the impact of a successful cyber attack on the financial system as a whole is potentially more serious from a financial stability point of view,” he told the audience at a meeting on cyber crime organised by the British Bankers’ Association (BBA).

“Low-level attacks are now not isolated events but continuous. Unlike physical attacks that are localised, these attacks are international and know no boundaries.”

In a report ahead of the meeting, the BBA warned of the rising threat of cyber attacks and “an element of lack of awareness and cultural resistance” to co-operation across the sector. At the same time, the BoE’s own systemic risk survey shows that concerns about threats to banks’ operations are at a record high, with cyber attacks the biggest worry.

Sophisticated threats

Commenting on the announcement, Liz Fitzsimons, legal director at law firm Eversheds, said: “Governments, businesses and many others recognise the potential power of the on-line global economy to improve communication and understanding as well as create opportunity, employment and wealth.

“Cyber crime puts this at risk not just in developed economies – which have to date borne the financial brunt of cyber crime – but also in developing nations where the impact may be greater in real terms.

“Individuals, businesses and authorities must unite to raise awareness of the risks and help in eliminating them to prevent the greed of a few from spoiling the benefits of the on-line world for the majority.”

Ian Glover, president of Crest, said: “Although existing penetration testing services in the financial services sector have provided a good level of assurance against traditional attacks, they do not address more sophisticated cyber attacks on critical assets.

“CBEST tests have been designed to replicate the behaviours of serious threat actors, assessed by government and commercial intelligence providers as posing a genuine threat to important financial institutions.”


Related reading