BoE to launch ‘cyber stress tests’

The Bank of England (BoE) is moving from testing financial firms’ cyber resilience to assessing their ability to recover from a breach, unveiling a set of “cyber stress tests”.

The financial policy committee (FPC) is developing a set of standards for how quickly it expects different types of financial firms to recover following a cyber breach. Banks, payment systems and central counterparties are likely to be held to different standards, according to the systemic disruption an attack would cause.

Governor Mark Carney said during a press conference today (June 27) the BoE had completed a round of resilience testing for the UK’s largest firms and now wanted to “change the question” it asks of firms – “not how strong are your cyber defences, just assume you get taken out, what do you do?”.

“Working with others, especially the National Cyber Security Centre, the bank will test that firms would be able to meet the FPC’s standards for recovering services,” the BoE says in today’s financial stability report.

Jon Cunliffe, deputy governor for financial stability, said the stress tests would be “severe but plausible”, echoing the language used when describing standard bank stress tests.

He gave an example that the BoE might stress a firm by corrupting a section of its data, allowing supervisors to assess the firm’s backup options, whether it can restore data integrity, and how long it takes. If the firm’s recovery is slower than the tolerance periods the FPC is designing, supervisors will work with it on remedial action.

“Consistent with the FPC’s responsibility to mitigate systemic risk, it will set a tolerance at the point after which it judges disruption would begin to cause material economic impact,” the report says.

Progress

Carney said there had been progress on UK firms’ cyber defences. The issue has climbed the list of supervisory priorities in recent years following a spate of high-profile breaches.

Carney said the BoE’s first step had been to establish a clearer governance structure in firms. He said this had “sharpened the mind” as to the steps needed to ensure a firm’s cyber resilience.

Second, the BoE has been conducting penetration testing to assess firms’ resilience. The BoE had moved from a “centrally designed” test to a “spot” test known as C-Best, the governor said.

The C-Best tests are carried out by specialist penetration testing companies “with an attack team that mimics the actions of skilled cyber attackers”, the BoE’s website explains. “Their aim is to penetrate defences and make their way, silently and stealthily, towards critical assets to a position where they could steal, corrupt or destroy their target.”