In previous blogs, we have commented on the threat posed to the financial services sector by cyber risk and the potentially drastic consequences for all participants of a cyber-attack.
Last week the Bank of England (BoE) published its high level findings following the financial sector cyber simulation exercise that took place in November 2018 (known as SIMEX 2018). SIMEX 2018 tested the response of 29 systemically important firms and financial market infrastructures to a severe cyber-attack scenario targeting the sector. SIMEX 2018 simulated multi-day disruption to markets and firm operations connected with the protracted operational outage of a global systemically important bank.
The BoE found that:
- Opportunities to improve the way firms coordinate – participants agreed that impacts and responses were coordinated and discussed effectively at a strategic level but that improvements could be made at an operational level. The sector response framework will be reviewed to ensure that the sector can communicate and co-ordinate at an operational level during a crisis and the Finance Sector Cyber Collaboration Centre will also be integrated into the response framework;
- Disparity in risk tolerance for suspending services – there were significant variations in participants’ willingness to suspend services. It is recognised that these differences may have significant knock on effects and therefore future work will focus on the production of industry guidelines/good practice for managing controlled suspension of services and system integrity issues;
- Restoration of data and recovering services – the different ways in which data is stored by individual participants constrains their ability to support another operationally paralysed firm. Further work will be undertaken to scope the technical and data requirements for providing services through alternative channels. This will be followed by a strategy paper and playbook to support coordination of this contingency during a live incident;
- Communication practices – work is to be undertaken on good incident communications practices and consistent definition and use of terminology.
The BoE concludes the report by stating that the financial authorities, in partnership with firms, have started work on acting on the recommendations set out in the report and that this will continue into 2020.