Too many UK financial services organizations still view online threats as a ‘technical’ rather than a board-level issue, according to a new report from the Bank of England.
The BoE’s December 2014 Financial Stability Report, launched this week, reported on progress made since previous recommendations.
It had this to say of the June 2013 recommendations it made for the government to work with the financial services sector more closely to “put in place a program of work to improve and test resilience to cyber attack”:
“The FPC received an update on work by HM Treasury, the Bank and regulators to enhance cyber resilience. All core firms and financial market infrastructures have submitted a self-assessment on cyber resilience, and these have been reviewed by the regulators. Although these assessments have not revealed any critical shortcomings at this stage regulators have noted some areas for improvement, including a tendency among firms to view cyber threats as a ‘technical’ problem — rather than as an issue which merits board-level attention given the evolving nature of cyber threats and the key importance of cyber resilience to continuity of financial services. Supervisors are working with firms to agree timetables for remediation.”
The BoE is hoping these self-assessments, alongside tests developed according to the new CBEST framework launched earlier this year, will help “form the basis for specific and concrete action plans for firms.”
It urged core “firms and financial market infrastructures” to conduct CBEST tests as quickly as possible to improve resilience, and said it would be reviewing progress in Q2 2015.
The report highlighted the continued cyber risks facing financial institutions, citing an attack on a large US bank in August in which attackers stole information on over 80 million customers.
“A significant proportion of respondents to the Bank of England’s 2014 H2 Systemic Risk Survey cited operational risks from cyber attack as a key risk to UK financial stability,” it added.
“While that was lower than during 2014 H1, the proportion of respondents that highlighted risks from terrorism, including cyber terrorism, rose markedly.”
Chris McIntosh, CEO of security and comms firm ViaSat UK, argued that given the “growing range of technologies and techniques” in the attackers’ arsenal, regulators are right to push for greater resilience among financial institutions.
“Organizations should look at their entire IT network, physical infrastructure and personnel to ensure that any obvious weak points are eliminated. Any visible vulnerability, no matter how apparently minor, will be the equivalent of a ‘Kick Me’ sign for potential attackers,” he told Infosecurity.
“Organizations should always assume that the network has been penetrated; and ensure that potential damage is minimized. For instance, the company should be able to detect any potential intrusion and ensure that all sensitive data is encrypted so that, even if an attacker makes off with the contents of an entire database, it will be useless to them.”