Bank of England unveils CBEST Cyber Security tests
New tests have been unveiled by the Bank of England aimed at strengthening the ability of financial institutions to withstand potential cyber attacks.
The CBEST testing strategy is due to be rolled out over the next few months and Andrew Gracie, executive director of resolution at the Bank of England, said the results of the tests should provide a ‘direct readout’ on a firm’s ability to withstand such attacks. He said: “Cyber presents new challenges. It is not a game against nature. Unlike other causes of operational disruption like fires and floods, we know there are agents out there – criminals, terrorist organisations or state sponsored actors – that have the will, if not necessarily the means, to attack the system. Motivations vary. More often than not they are economic – to defraud banks or their customers or to extract information.”
Experts claim network security is one of the main areas where financial institutions could come under attack. Mr Gracie warned that the ability of cyber criminals to mount attacks was likely to become more and more advanced as technology becomes increasingly sophisticated. He also said the nature of online based attacks now knew ‘no boundaries’.
He said: “We have seen cases where the motivation is to damage the system, either to destroy data or cause non-availability of systems or both. “The capabilities of these actors, and thus the nature of the threat, are rapidly evolving – barriers to entry are low in cyber space and attacks are readily scalable. Low level attacks are now not isolated events but continuous. Unlike physical attacks that are localised, these attacks are international and know no boundaries.”
Earlier this year the central bank published findings from the Walking Shark II cyber security exercise. The report found the need for further improvement in some areas, including the need to create a single body to manage such communications during a hacking incident or other major breach.
It is now expected that the new cyber tests will be adopted by financial industry institutions, but it is doubtful the results will be released into the public domain.