Cyber-attacks threaten resilience in the financial sector

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.scmagazineuk.com/boe-cyber-attacks-threaten-resilience-in-the-financial-sector/article/424713/

The Bank of England's latest Financial Stability Report (FSR), issued on
July 1, cites cyber-risk (pages 31–33) as an area of increasing concern
with increasingly frequent cyber-attacks potentially causing disruption to
the banking system.

It calls on defence measures to go beyond technology, for reaction plans to
be drawn up and advocates the use of CBEST to identify vulnerabilities,
whilst also adding that improved governance and risk management are needed
to implement these measures in order to improve resilience.

The report notes how a UK government survey this year found that 90 percent
of large businesses across all sectors had experienced a malicious IT
security breach in the previous year.  Respondents to the Bank's Systemic
Risk Survey put cyber-risk as a key concern over the past two years, and
the World Economic Forum has identified large-scale cyber-attacks as one of
the high-impact risks most likely to crystallise over the next ten years.

The report notes how defensive capability should focus on IT and non-IT
vulnerabilities, saying: “A common failing was viewing cyber-risk as a
purely ‘technological' issue, without recognising that people matter as
much as technology."

Under-investment in companies' ability to detect cyber-attack was seen as
creating a risk that firms react to attacks too slowly, or misdiagnose
incidents of disruption as internal IT failures rather than deliberate
attacks. Also, defensive capabilities need to extend to the suppliers and
infrastructure that the financial system relies on, hence thorough
due-diligence for third party suppliers.

Because data corruption from cyber-attacks can spread between connected
systems, the report advises segregation between primary and backup systems,
unlike in other business continuity threats, where building immediate
system backup capacity entails closely connected backup systems for rapid
resumption of services.

Strong governance is called for at the most senior levels of banks to build
capability in defensive resilience and enable recovery across technology
and personnel. So the independent Financial Policy Committee (FPC) called
for regulators to establish a regular assessment of the resilience to
cyber-attack of firms at the core of the financial system. It says this
should include penetration testing, with CBEST tests becoming one component
of regular cyber-resilience assessment within the UK financial system as
well as adoption of individual cyber-resilience action plans. Ways of
managing this risk must evolve in line with the nature of the threat and as
well as looking to build defensive resilience to threats, and firms must
build the capability to recover quickly from cyber-attack, given the
inevitability that attacks will occur.

Evolving defensive resilience and recovery across the financial system is
to be looked at further, particularly at firms providing critical services
to the financial system, including via international co-operation, with a
report on progress to be published by summer 2016.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!