Although recent headlines have focused on the familiar topics of falling bank profits and questionable tax avoidance practices in the financial services sector, major financial institutions should view the danger posed by cyber attackers as one of the most acute risks that they face. In the “Threats to the Financial Services Sector” supplement to its 2014 Global Economic Crime Survey, PwC observes that financial services organisations believe that cyber crime is becoming a greater threat than ever before. But the supplement also notes an alarming tendency among executive management to bury their heads in the sand, as many organisations don’t believe that a cyber attack will actually happen to them.
Financial institutions can’t afford to ignore the cyber risk. The latest Cost of Data Breach Study by the Ponemon Institute reveals that cyber attacks have a greater cost impact on organisations in heavily-regulated industries – including financial services. Financial services organisations also appear to experience relatively high abnormal customer churn following a data breach. The cyber attack on JP Morgan Chase last year, when personal information from 76 million households and 7 million businesses was compromised, was a sharp reminder of the scale of the risk.
How are the UK regulators responding to these threats?
PwC’s report comments that regulators around the world are waking up to the fact that cyber crime poses systemic danger to the financial services sector. The UK government in particular is attempting to increase business awareness of cyber security risks, including by working on sector-specific initiatives. In the financial services sector, the Bank of England has taken the lead. In November 2013, it coordinated the “Waking Shark II” exercise with HM Treasury and the Financial Conduct Authority. This involved bombarding London’s financial firms with announcements and scenarios relating to fictional cyber attacks and assessing how they responded.
The Bank of England has also been working on targeted methods of assessing and improving the cyber security credentials of the UK’s financial institutions. In June 2013, the Bank’s Financial Policy Committee recommended that the UK’s main financial authorities (including the Treasury, the Bank, the Prudential Regulation Authority and the FCA) cooperate with key players in the UK’s financial system to establish a programme to enhance and test cyber resilience. The result was “CBEST”, a new framework for testing cyber security vulnerabilities, and the first of its kind to be led by a central bank. CBEST was announced to industry in May 2014 and then launched publicly in June 2014.
What is CBEST?
CBEST is a testing framework that is designed to help major financial organisations and their regulators understand the types of cyber attack that could threaten the UK’s financial stability, the UK’s level of vulnerability and the effectiveness of the detection and response measures that are being used. It reflects a shift in focus from preventing attacks entirely to improving organisations’ resilience and ability to bounce back after suffering an attack.
Andrew Gracie, the Bank of England’s executive director for resolution, recognised this change in his speech launching CBEST. He observed that “cyber defence … has become not a matter of designing a hard perimeter that can repel attacks but detecting where networks have been penetrated and responding effectively where this occurs”. CBEST responds to this need by bringing together advanced threat intelligence, tailored for individual firms and delivered in live tests under a controlled environment. The output “should provide a direct readout on a firm’s capability to withstand cyber-attacks”.
All firms that undertake CBEST will be required to complete a set of key performance indicators, which cover both threat intelligence and penetration testing. The KPIs will be used to provide a cyber security assessment to the firm once its CBEST programme is complete. The Bank of England’s Sector Cyber Team will also use them to improve its understanding of the financial sector’s cyber security capability.
Detailed information on carrying out a CBEST programme is available here. Among other things, this covers the process for instigating a CBEST test, choosing a suitable CBEST supplier, planning and scoping the project, CBEST execution, reporting and review.
How does CBEST differ from standard penetration testing?
CBEST is designed to fill a perceived gap in existing penetration testing practices. The financial services sector has traditionally resisted testing its critical assets against simulated attacks because of the risk this is seen to pose to their operations. CBEST responds to this by establishing a detailed risk and control framework, which covers the scope of the test, actions to take and liability. Penetration testers involved in CBEST must gain enhanced qualifications which are designed to reduce the risk of damage to live systems. The firm undergoing the test remains in control and can request a temporary halt at any stage if it has concerns over damage or potential damage to a system.
The penetration testing industry has previously suffered from limited access to specific, up-to-date threat information. In contrast, the CBEST programme is “intelligence-led” – meaning that it channels intelligence directly from government and commercial intelligence providers. This should allow it to focus on more sophisticated types of attack and to stay up-to-date. CBEST aims to deliver this intelligence to organisations through a bespoke testing programme. For each firm, the test is built around the key potential attackers for that firm and the attack types they would deploy. This goes further than most current penetration testing.
What’s the future for CBEST?
As of February 2015, CBEST has only been made available to firms which are considered to be core to the UK’s financial system. The relevant regulators are contacting those firms in relation to participation in CBEST, although the programme remains voluntary.
The Bank of England has so far been slightly cagey about how it sees CBEST being used in the future. One of the FAQs on the Bank’s CBEST website (available here) asks “What is the future of CBEST? Will it become an annual test? Do firms need to start making longer term plans to factor this into testing programmes?”. The rather elliptical response is that “It is too early to specify what role CBEST will have in the future, however, it was designed to endure, and evolve as the threat landscape evolves. Firms/FMIs [Financial Market Infrastructures] should expect to discuss further CBEST testing with their regulator”.
CBEST has been presented as part of a broader effort to boost information sharing on cyber security in the financial services sector. Much of the wider discussion around cyber security in the last couple of years has focused on increasing information sharing. This is one of the key pillars of the proposed NIS directive, which will require the national cyber authorities in all EU member states and the European Commission to form a cooperation network to coordinate against cyber risks, exchange information and provide early warnings. In the UK, the Cyber-security Information Sharing Partnership (CiSP) was launched in 2013 to share cyber threat and vulnerability information between government and industry. If CBEST succeeds, it could set the standard for other sectors, both in relation to sharing advance information on threats and in coordinating post-attack efforts to respond to a major cyber attack.
What will success look like for CBEST?
Clearly CBEST is intended to be here to stay. To be successful, it will need to prove itself adaptable and flexible as the nature of the cyber security threat continues to evolve. It will also need to generate tangible benefits for firms if it is to be seen as a worthwhile investment of money and resources. CBEST could then become a benchmark for other industries as well – particularly the critical national infrastructure sectors that will be the subject of the NIS Directive when it finally comes into force.