Banks stepping up cyber security – what CBEST means for the industry and its customers

Banks stepping up cyber security

By Dr. Guy Bunker @guybunker

Following a summit held on Tuesday, hosted by the British Banker’s Association, the Bank of England announced a new framework to spot and test possible weak points at lenders in order to combat the growing problem of cyber hacking. By appointing cyber security as the main industry issue to discuss, the BBA brought cyber security issues to the forefront of the economy and out of the recesses of IT departments.

CBEST, the new framework, will use information from government and vetted commercial sources to identify potential attackers, the Bank said in a statement. The framework then replicates the techniques used by hackers to devise a test to see how successful an attack on a company might be and whether it is resilient enough to resist it. Some might argue that this is ‘closing the stable door, after the horse has bolted’, and there should be more done to look at innovative ways to carry out an attack, but – it’s good to start with the known vectors and have them covered, before moving onto more creative routes.

This is not just a specialist issue, it’s essential for our economy that banks reinforce their cyber security measures. A company is valued on its ability to handle all manner of risks, and that includes cyber risks – a message that was reinforced at the summit earlier this week by Andrew Wingfield, a financial services lawyer at King & Wood Mallesons SJ Berwin: “The UK's ability to deal with such attacks will determine how it is viewed globally in terms of investment and its position as a worldwide leader in financial services”.

Echoing Heath’s words in his blog earlier in May on the importance of cyber security in mergers and acquisitions, “Cyber security breaches can lead to devastating losses for companies across all sectors – both reputational and financially: from loss of valuable data during an M&A, to loss of clients (through fear of cyber security risks) as well as the potential for large fines from the ICO for failure to adhere to data protection regulation; all factors that can have a serious and direct impact on the company’s future and valuation”.

The inclusion of cyber security – and consequential major changes- reinforces the fact that cyber security is not just a matter for technology specialists; it’s an important issue and should be embraced by all involved.

With banks so integral to the economy, and cyber-attacks one of the biggest risks, this announcement is a welcome follow-up to the banks’ security reinforcement plan. In December, Royal Bank of Scotland said its platform was briefly attacked by hackers, causing problems for customers trying to get access to their accounts. As I mentioned in my comment to SC Magazine about Operation Waking Shark 2, the importance of the value chain is paramount.

This summit is a welcome example of cyber security being brought to board-level discussion. Organisations can no longer afford to siphon cyber policies, the risks are constantly evolving and affect the dynamics in communication between financial institutions and organisations; sharing of critical information is often integral to business but if we can’t ensure that we have 100% control over 100% visibility of this data at all times, then we’re raising the white flag already.

For those not in the financial services industry, there is also merit in looking at how cyber-attacks would affect you. While running a full blown cyber-attack scenario, as per Waking Shark 2, may not be practical, thinking about it and having cyber as part of a disaster recovery / business continuity programme may well be. In most cases, thinking through a scenario and figuring out things like the response team and initial actions goes 80% of the way to a full simulated attack. There are plenty of examples in the press, whether it is malicious insiders or external hacks or even distributed denial of service (DDoS) attacks that can be used as input to the process.

Unfortunately, this is not a question of ‘if’ but ‘when’, something the British Bankers Association now acknowledges and expects its members to do as well.