Cyber resilience is now a key component of the operational resilience of UK financial markets, according to Bank of England officials.
According to Duncan McKinnon, executive director of supervisory risk at the World Bank’s Prudential Regulation Office, cyberattacks increased by 38% in 2022. “It looks like the range of affected companies and organizations is getting wider and wider,” McKinnon said.
Speaking at Infosecurity Europe 2023, McKinnon discussed how UK authorities, including the Prudential Regulatory Authority (PRA), the Financial Conduct Authority (FCA) and the Bank of England itself, are building operational resilience across the sector. Presented a case study. His goal is to protect Britain’s financial markets, businesses and customers.
McKinnon emphasized the growing risk posed by supply chains in this area, especially as attackers target cloud computing resources and managed service providers rather than financial firms themselves.
“We are looking at so-called key third-party companies across sectors that provide technology and services to financial firms whose failure would have serious consequences for UK financial services companies,” he said. ‘ explained.
PRA strengthens collaboration between cybersecurity, business continuity, disaster recovery, and incident response teams with a focus on resilience and recovery.
Read more about Inforsecurity Europe: Certification is not a guarantee of security
Regulators want to see how financial firms will respond to attacks and the impact it will have on the broader financial services ecosystem. Similar work is being done at the international level by the G7, which has its own cyber expert group.
In the UK, the main tools for improving resilience are threat intelligence sharing, better coordination between companies, regulators, banks and treasuries, and penetration testing, including CBEST.
McKinnon also emphasized the importance of regular scenario testing and incident simulations, both at the individual company and at the market level, such as the city’s regular SIMEX exercises.
McKinnon said such tests help organizations model how an attack disrupts their business and how the company recovers.
Financial services firms should have “scenario-specific strategies,” he advised. “We need to establish ways to contain intruders and stop them from invading our customers and business partners,” he said. SIMEX has modeled terrorist incidents and pandemics in the past, and now models cyberattacks.
“Every two years we run sector-wide exercises to help companies rehearse and test their strategies,” he said. “Cyber risk is a key priority for our bank and the PRA. We know people want disruption and distortion. [markets] And the trend seems to be unabated. ”
