Insightful &
Helpful Articles

Here is what we're working on and
thinking at Hedgehog security.

FPC/BoE Cyber Risk Update

On 1 Jul 15, the independent Financial Policy Committee (FPC) at the Bank of England, released its biannual Financial Stability Report of which the cyber risk category received an update. The BoE and associated organisations involved in the financial wellbeing of the UK are taking a holistic view of their industry, which ultimately has an effect on Britain?s economy. The focus is channelled to developing detailed, parallel and collaborative processes in regard to negating the risks that are inherent in the financial industry in relation to cyber risk.

Of key interest is an emphasis on the separation between backup and recovery of primary systems. The emphasis is that the backup system should not be made so readily available, insomuch that a direct link is separated by some form of effective firewall, in order to maintain effective security between the two installations. In addition the importance of governance by the formation of boards that may challenge and present the idea that cyber risk is a core issue detrimental to an organisation where management attitude, resilience and recovery procedures are ill-implemented.

In June this year, the FPC replaced its Cyber Recommendation to as follows:

"The FPC recommends that the Bank, the PRA and the FCA work with firms at the core of the UK financial system to ensure that they complete CBEST tests and adopt individual cyber resilience action plans?"
A key partner and strategic head of the government's process is HM Treasury. Charged with providing processes, procedures and guidance regarding cyber resilience to government bodies and organisations within the private sector. In addition, HM Treasury takes the lead in any government response to any large-scale cyber-attack which is deemed detrimental to the financial industry in Britain.

Over the last two years, organisations associated with the financial industry have taken part in the Systemic Risk Survey, instigated by the FPC. The results of which have identified large-scale, internationally based cyber attacks as being of a major cause of concern for the next decade. However, I might suggest that such concerns are already realised, with Hollywood film studios and Western governments being the subjects of attacks from alleged foreign perpetrators in the last year or so. The former example points to an attack whereby hackers which may have affected an organisations ability to make a profit from a product. A bad taste in the mouth for a Hollywood film studio, potentially catastrophic for a banking/financial institution in the UK.

Having processed the results of a Systematic Risk Survey, the FPC has identified trends in the last two years where such organisations have taken steps to mitigate the inherent risks associated with information systems by implementing resilience strategies. One such strategy is the Successful collaborative "Waking Shark" and "Waking Shark II" formulated to promote Cyber Resilience which led to the formulation of the aforementioned CBEST testing standard, promoted as an industry standard, regular penetration testing procedure for the financial industry. Although not used by all financial institutions, the CBEST standard has been offered as a security testing tool to "Core" financial institutions intrinsically linked to the financial well-being of the UK to address the collaborative nature which HM Treasury wishes to implement/promote.

It is interesting to see that born out of this process is the willingness to address the human element of Cyber Risk. Namely, the acknowledgement of attackers using an individual's lack of attention, a lapse in personal security, lack of adherence to Information Security/IT protocols by way of deception as a bonafide area where appropriate resilience methods are intrinsic to security.
It only takes a click to let a hacker into your system if you are not paying attention.