Cyber-resilience is now a key component of operational resilience for the UK’s financial markets, according to a Bank of England official.
According to Duncan Mackinnon, executive director for supervisory risk at the Bank’s Prudential Regulation Authority, cyber-attacks increased by 38% in 2022. “The range of firms and organizations being impacted seems to grow broader and broader,” Mackinnon said.
Speaking at Infosecurity Europe 2023, Mackinnon presented a case study on how the UK authorities – including the Prudential Regulation Authority (PRA), the Financial Conduct Authority (FCA) and the Bank of England itself are building operational resilience across the sector. The goal is to protect the UK’s financial markets, firms and customers.
Mackinnon highlighted the increasing risks posed by the sector’s supply chain, especially as attackers target cloud computing resources or managed services providers, rather than financial firms themselves.
“We are looking at what we call critical third-party firms, beyond the sector, providing technology and services to financial firms that if they fail, the impact on UK financial services firms would be severe,” he explained.
The PRA is emphasizing resilience and recovery, with more coordination between cybersecurity, business continuity, disaster recovery and incident response teams.
Read more about Inforsecurity Europe: Certifications Are No Guarantee of Security
Regulators want to see how financial firms will cope with an attack, and its impact on the wider financial services ecosystem. Similar work is being done at an international level by the G7, which has its own cyber expert group.
In the UK, the main tools for improving resilience are threat intelligence sharing, better coordination between firms, regulators, the Bank and the Treasury, and penetration testing including CBEST.
Mackinnon also emphasized the importance of regular scenario testing and incident simulation, both for individual firms and at a market level, such as the City’s regular SIMEX exercises.
Such testing, Mackinnon said, helps organizations model how an attack would disrupt the business and how firms would recover.
Financial services firms should have “scenario specific playbooks,” he advised. “They need to set out how to contain intruders and stop them spreading to clients and counterparties,” he said. In the past, SIMEX has modelled terrorist incidents and pandemics and now, cyber-attacks.
“Every two years we run sector-wide exercises to enable firms to rehearse and test their playbooks,” he said. “Cyber risks are a key priority for us at the Bank and the PRA. We know people are looking to disrupt and distort [markets] and that trend doesn’t seem to be abating.”