Alongside its stress test results, the Bank of England (BoE) has released its Financial Stability Report, which contains a chapter on cyber risk facing the UK in the financial sector.
Fear of the knock-on effect
Given the strategic importance of the financial sector, the BoE report says that it is not just concerned about the firms and individuals who are directly hit by cyber attacks, but that "a serious attack directly disrupts the critical economy functions performed by the financial sector".
It cites the 2013 attack on Korean ATMs and mobile banking as examples.
A change in approach to cyber risk
Given this strategic importance, the report says that the cyber risk should not just be regarded as a "narrow ‘technology’ issue" for banks, but should instead be seen as a "strategic priority". The BoE urges firms to "build their resilience" to cyber attacks, become able to recover quickly if they are attacked, and "ensure effective governance".
CBEST testing
Then number of firms that have completed CBEST testing of core vulnerabilities has gone up from 5 in the July report to 10 now. Other banks are undergoing the process too. Nine are at the penultimate stage, threat intelligence and testing, while 12 are at the second phase, called scoping , and four are at the first stage, called pre-scoping.
Awareness is growing
Awareness and concern about cyber risks is growing in the sector. 45% of those who responded to the BoE Systemic Risk Survey now highlight cyber risk as "key concern".
This is up 15% from the first half of this year, and up from just 10% in H1 2014. 2015 is the only year since the comparison started in 2012 that concern about cyber attacks has outweighed concern about other operational risks. Concern about other operational risks was under a quarter in H2 this year.
Work ongoing until next Summer
This report is part of an ongoing process into improving the way the financial sector deals with cyber security. BoE, alongside the Financial Conduct Authority and the Treasury are reviewing the list of core firms that are critical to financial stability, defining a clear set of capabilities that will improve cyber resilience, and developing co-operation with authorities in other countries to tackle cyber risks.
The July 2015 set out these criterion, and the BoE Financial Policy Committee will receive a report on this by the Summer of 206.