Picture: Andrew Gracie, Executive Director of the Resolution Directorate at the Bank of England
Cyber security has been on the agenda even before the attacks on Sony and the nuclear power plants in South Korea but these attacks have served to highlight the dangers. The objective is to steal data and disrupt operations, threats which apply equally to the Bank of England’s area of concern, the financial and banking sector.
This was the message from Andrew Gracie, Executive Director of the Resolution Directorate at the Bank of England, one of the speakers at the recent Cyber Defence & Network Security conference in London.
While organisations may have business continuity plans in place, these may not work in the case of a cyber attack because of the interconnectedness of systems. Business continuity plans usually rely upon having a secondary site to which the business can decamp in the event of a catastrophic event, but these sites are usually connected to the very same computer systems that would be under attack in a cyber situation.
The approach to defending against a cyber attack must rely instead upon detection and mitigation.
This is a high priority for the Bank of England, Gracie said, as IT systems are key to the banking industry. The Bank’s objective is to maintain the stability of the financial sector, and therefore its strategy – as recommended by the Financial Policy Committee in 2013 – is to focus on the key players in the industry, considered to be 36 organisations.
The emphasis has been to assess the vulnerability of the sector to cyber attack which the Bank has been doing in two ways:
- A cross sector review of risk management practices with regard to cyber, and
- Vulnerability testing via the CBEST Vulnerability Testing Framework
The first step was issuing a questionnaire to the financial firms – a self-assessment of how they organise their cyber defences. The results of this survey helped to set a benchmark for cyber resiliency.
With the aim of ensuring the resiliency of the financial sector as a whole, the Bank’s concerns went beyond basic cyber hygiene to ensure that the sector could deal with an advanced persistent threat (APT) which are the hallmark of some state-sponsored attackers.
While the survey didn’t identify any pressing concerns, it did raise some issues for discussion and revealed some common themes across the firms surveyed.
Firstly, cyber has changed the rules for security. Compared to physical threats, cyber attacks are highly adaptable, dynamic and intelligent, and without situational awareness beyond the perimeter of your own organisation, it’s difficult to anticipate and defend against these attacks. Therefore, it is important that organisations share information about the threat environment and have plans for working together.
Secondly, cyber is not the domain of techies alone anymore. While technology is important, people and processes arguably matter more because it is carelessness by staff, as well as the inside job, that pose the greatest threat to organisations.
Thirdly, cyber defence requires regular testing of people, processes and technology. The testing has to keep pace with developments in the organisation, so occasional audits and sample testing are not enough.
Gracie reiterated his earlier point about using the CBEST vulnerability testing framework to provide firms and the Bank of England with a robust assessment of vulnerabilities and steps to take.
The biggest threat to the banking system is attacks that result in the loss of access to key systems, he said, followed closely by the loss of sensitive data. The Bank has worked closely with financial firms to work out how a cyber attack on one component would ripple throughout the system. In the event of a cyber attack, it will prioritise its efforts to protect the systems it has identified as most critical even at the cost of losing lesser systems.
There is a role for government in protecting the stability of the financial system in the event of a cyber attack, he said, which will require the Bank of England to work closely with the key firms to prepare for attacks.
Conference delegates also heard from Craig Balding, Group Head of Cyber Risk at Barclays Bank.
He said that cyber security was a key issue for the Barclays board of directors and that it featured on every agenda. Barclays was the first major organisation to gain the Government Cyber Essentials certification for its Digital Banking services.
However, he said that there is a lot being said about the cyber threat and that 50% of his job was simply to filter the “signal from the noise” to determine what were the most important issues and threats for his team to focus on.
So how does a bank manage its cyber risk?
Importantly, cyber risk was recognised a few years ago as being significantly different from other types of risk. There are many issues which could fall under the umbrella of cyber, he said, but it’s important to distinguish what is truly a cyber security issue and what is a different security issue.
For instance, in the case of fraud, one could say that an attempt to defraud the bank is a cyber-security problem simply because the fraudsters were using computer systems. But Balding says he wouldn’t consider it cyber fraud unless the fraudsters were attempting to commit their fraud by bypassing one of the IT system controls. And if a customer is hacked, it’s not necessarily a cyber-security matter for the Bank because it wasn’t its IT controls which were compromised.
Another issue is that within Barclays, there are many business units which operate semi-autonomously and the CEOs of each unit own the risk inherent in their operation. So if a unit wants to grow in a new direction that could potentially expose the Bank to new cyber risks, this has to be measured not just in terms of how it might impact that unit but the entire bank as well.
Notable trends in cyber security for Balding are:
- User complaints rise when you put more security controls in place
- Anti-fraud software is notoriously bad
- Regulators increasingly want to see you subscribing to threat analysis services
- Cyber insurance is not a requirement but regulators are effectively creating a market for it simply by asking banks whether they have it or not. Balding is sceptical about insurance because transferring risk is not always an acceptable response to the reputational risk of a cyber attack.
The key, he said, to an effective cyber policy is two-fold: raise the costs for cyber attackers by hardening the target and reduce your time to detect and respond to attacks.
Responding to Andrew Gracie’s earlier comments, he said he is a big fan of CBEST which creates realistic threats and threat actors, and he is working to increase involvement in the CBEST programme. And he said he would also be happy to cooperate with other banks in the event of an attack, saying, “We would offer help to those who need it – we don’t laugh when others are being hacked.”