Cyber Resilience Simon Onyons Financial Stability – Resilience Team
What is Cyber Risk? What are cyber risks? The risk of attacks carried out on firms’ IT infrastructure to defraud or disrupt their operations through the exploitation of weakness and/or the transmission of viruses and malicious software (MalWare) via the internet or e-mails. The majority of attacks target the external-facing technology infrastructure which makes regulated entities internet-facing IT systems at higher risk of cyber attacks. There remains a significant risk from the ‘insider attack’. The FCA recognise that the growing cyber risk presents a significant threat to our strategic and operational objectives and we are working to leverage the work being undertaken in response to a recommendation from the UK Financial Policy Committee to discharge our own regulatory obligations. Background 2 2
Conduct Regulation and Cyber Consumer Impact – Service Availability Market Integrity - Data corruption or manipulation Competition - Theft of data; M&A, new products, personal data
Cyber – Coordination with other bodies UK Government and Cyber Agencies BIS Cabinet Office GCHQ National Crime Agency CERT UK CPNI Government cyber initiatives: UK Cyber Strategy, BIS 10 Steps to Cyber Security, Cyber Essentials Scheme Her Majesty's Treasury (HMT) Recommendations BoE FPC (Bank of England Committee) FCA MID Recommendations Recommendations CMORG* Directors Sub Group PRA PSR Resilience and Cyber Sub Groups * Cross Markets Operational Resilience Group
UK regulatory cyber work to date “HM Treasury, working with the relevant Government agencies, the PRA, the Bank’s financial market infrastructure supervisors and the FCA should work with the core UK financial system and its infrastructure to put in place a programme of work to improve and test resilience to cyber attack.” 36 in-scope firms identified as the “core of the UK financial system”. Predominantly Critical National Infrastructures including Retail Banking, Investment Banking, Insurance, Exchanges and Clearing Houses Objectives: Enhance understanding of finance sector threat Improve the sharing of information Strengthen work to assess the sector’s current resilience to cyber attack Develop plans to test sector resilience
Develop Testing Plans- “CBEST” Diagnostic tool developed by the Bank of England, FCA and wider industry to support the FPC’s cyber recommendation CBEST is a framework to deliver controlled, bespoke, intelligence-led cyber security tests The tests replicate behaviors of threat actors, assessed by Government and commercial intelligence providers as posing a genuine threat to financial institutions Requires interaction with the regulators from the outset – it aims to provide a transparent testing and reporting mechanism so that the regulators and regulated can collectively improve their understanding of the threats the system faces and the extent to which the UK financial sector is vulnerable to those threats CBEST is VOLUNTARY – not mandated. Currently available only to the 36 firms in scope under the FPC recommendation
Develop Testing Plans- “CBEST” Leverage official sector and commercial intelligence on most likely systemic threats e.g. state sponsored Going beyond the BIS 10 steps to include sophisticated and persistent attack types Testing of cyber resilience in key firms and FMIs Will provide a holistic assessment of people, process and technology Will mimic tactics, techniques and procedures of threat actors identified through intelligence gathering Deliver a sector-wide assessment of resilience (and vulnerability) in the face of these threats
Understanding the Threat Out-of-scope e.g. acts of war Neg-day Nation state / Sponsored actor Corporate staff information and PC compromise 1 10 Data deletion Data corruption System unavailability 2 FPC in scope 1 3 Very high Organised Crime / Hacktivists 1 Nation state / Sponsored actor Network unavailability 1 Source: Bank of England 0-day BIS 10 Steps High Organised Crime Online banking fraud 8 9 Nation state / Espionage Data exfiltration & Espionage Nation state / Hacktivists 4 5 Attack Complexity Medium 7 Espionage / Organised Crime / Hacktivists Application layer volumetric attacks Data exfiltration 6 Nation state / Hacktivists Hacktivists Website defacement 9 Low Volumetric network attacks 7 Defence maturity Impacts Customer impact 4 Loss of IP 7 Web services unavailable 10 Disclosed staff credentials and data theft 1 Operational disruption 5 Market sensitive data System impact 2 Loss of data 8 Financial loss 3 Lower confidence in accuracy of information 6 Disclosure of customer data 9 Brand impact
What have UK Authorities found? High level findings, following a comprehensive thematic assessment by the FCA and the Bank of England, are: Cyber undermines existing operational resilience arrangements. Testing of cyber for people, processes and technology is still immature. Business Engagement and Strategic Planning & influencing for cyber varies widely. Firm scale and resources impact effective risk management.
What have UK Authorities found? Articulating target states of cyber maturity is a challenge. Cyber investment is technology centric. There is generally a low capability to effectively detect cyber attacks and identify threats. Oversight of third party suppliers and the supply-chain is immature. Challenge from the third line of defence is limited.
What do the UK regulators want to see? Cyber Governance arrangements (Mission, Vision, Strategy, Leadership) Understanding of dependence on technology systems and communication networks Identification, assessment and mitigation of relevant cyber-security risks Threat intelligence capabilities Cyber-security incident management capabilities Resilience measures to ensure availability of critical processes Measures to prevent, detect and minimise social engineering attacks Independent assurance to assess adequacy of cyber-security measures LEAD IDENTIFY PROTECT DETECT RESPOND RECOVER LEARN
QUESTIONS?