Britain's banks must do more to protect themselves from cyber attacks, says the Bank of England, following an analysis of the perimeter defences and operational resilience of 36 of the nation's top financial service providers.
The Bank is currently discussing the results of self-assessment questionnaires sent out to to thirty six firms that make up the ‘core’ of the UK financial system. This includes the largest UK and foreign banks active in London and the key payment and settlement systems, clearing houses and exchanges.
Speaking at a cyber defence and network conference, Andrew Gracie, an executive director of the BofE, said that overall the responses did not reveal any immediate
"critical shortcomings" in the cyber resilience of the firms involved.
"But they did point to areas for improvement that we will be following up on with firms," he told the conference.
Existing operational resilience arrangements are often geared to dealing with physical threats, says Gracie, but cyber warfare has changed the rules of engagement.
"Given the importance of these firms to the stability of the financial system, this implies a level of resilience that goes beyond basic cyber hygiene but aims instead to ensure that firms are in a position to manage Advanced Persistent Threats (APT) that are the hallmark of some state-sponsored attackers."
To meet the challenges, banks need to adopt a more rigorous approach to infrastructure testing and ensure that all parts of the organisation understand the importance of good cyber security practices. "Cyber is not a minority sport for technologists only," notes Gracie.
The central bank is encouraging all firms in the sector to take part in the CBEST testing programme, which exposes banks to a series of tailored simulated attacks that mimic real world threats.
Says Gracie: "By going through this process, firms will not only understand where their vulnerabilities lie, but also which threats should cause them most concern and what steps they should take to combat them."