G7 countries to collaborate on cyber attack simulation, BoE reveals

The Bank of England’s financial services regulator the PRA is working with its international counterparts across the G7 group of countries on a simulation exercise to see how the financial sector would respond to and recover from an international cyber attack.

Speaking at this year’s Infosec Europe conference at Excel in East London, Duncan Mackinnon – the PRA’s executive director – said that the simulation exercise (SimEx) – used to evaluate an organisation’s ability to respond to cyber incidents effectively – would take place next April.

“We’re coordinating with the G7 Cyber Expert Group made up of international counterparts from these countries, which is currently being chaired by the Bank of England and our US Treasury colleagues,” he said.

“One of the things we’ll be doing next April will be an international SimEx to see how we can cope with an attack,” he confirmed.

According to Mackinnon, the SimEx is just one of the measures the BoE is taking to build resilience in the financial sector to deal with the impact of attacks when they do succeed.

He also made it clear that the PRA was keen to work with the Financial Conduct Authority and other firms across the sector – including financial service firms, fintech firms and third-party technology providers that are fast becoming a pivotal part of the UK’s financial ecosystem.

“We are very aware of the risk around developing technology including cloud and other managed services providers,” he said.

While some of these tech firms did not fall under the same regulatory remit as financial institutions, MacKinnon added that there was a growing realisation that “if they were to fail or there were disruptions to their services then the impact on the UK financial system would be severe.”

Following a series of recent high profile attacks on the financial sector – including the Ion Markets’ February cyber attack which had a major impact on global derivative trading – as well as well as the Capita data breach that occurred in May –  MacKinnon revealed that the PRA was working with the FCA, the UK Treasury and the National Cyber Security Centre to investigate “the root causes of these attacks so that we can mitigate their impact”.

Scenario testing

The executive regulator said that the BoE also wanted to work with industry and government to “build resilience together” through a number of scenario testing exercises.

According to Mackinnon, banks, insurers and financial market infrastructure firms (FMIs) need to build and invest in their ability to ‘prevent, adapt, respond and recover’ from attacks when they occur and to learn from the disruptive impacts that flow from them.

This, the regulator suggested, should include possessing a robust scenario testing framework – something, he added, that firms needed to do a lot more work on.

“Firms may want to define ‘severe’ and ‘plausible’ scenarios using a largely judgement-based approach and we understand that’s a reasonable starting point – but we think there’s more work to be done on how to calibrate scenarios.

“For each scenario we’d encourage firms to look at both the causes of it and impacts of the disruption that it might lead to. As well as the types of risk that that scenario addresses.”

Mackinnon added that within these scenarios firms also needed to explore the disruption that would follow an attackon a business’s most important services and the potential impact on the wider financial system.

The regulator also said that it was important for firms to have a playbook in place to support their recovery in the event of an attack – how they might reroute their critical payment systems, for instance.

According to MacKinnon PRA has also developed a tool to test operational resilience of firms at a sector wide level.

“Just as we expect our firms to assess the impacts of an attack, we are undertaking the same exercise and we’ve recently published the findings of our cyber stress test. Which was designed to explore firms’ response and recovery options in a hypothetical data integrity scenario,” he explained.

“Severe and plausible scenarios are at the heart of these tests and for the first time this year we’ve looked at a severe scenario where a cyber attacker is penetrating one of the UK’s core retail payment systems,” he revealed.

SimEx

Alongside the cyber stress test Mackinnon said that every two years the BoE runs a SimEx in partnership with industry – like the one the regulator is planning with the G7.

“Our most recent SimEx was last November which looked at how we as the bank and the PRA would respond to a UK-based global bank being operationally paralysed by a complete IT failure across all its systems.

“We considered how we would respond and how we would work with authorities like Treasury, the FCA etc and the sector.”

According to the regulator this SimEx was large-scale – with over 1000 people from 40 different firms working through a response over a two-day period.

CBEST

Another part of the PRA’s testing kit is a CBEST – a threat-led pen test tool that it has developed that combines a simulated cyber attack carried out with support of ethical hacking teams. This is then combined with the latest threat intelligence to test participating firms defence and detecting capabilities.

MacKinnon commented: “It’s a large and intensive exercise that tests a range of vulnerabilities including in relations to data confidently integrity and availability. We’ve just run through the second cycle of the CBEST testing process which had within it 14 of the UK’s largest financial service firms,” he revealed.

“Each time we do a CBEST cycle we publish the thematic findings of these exercises so that all firms can consider what implications there are for their own cyber security resilience.”