Cyber Resilience
Simon Onyons
Financial Stability – Resilience Team
1
What is Cyber Risk?
What are cyber risks?
The risk of attacks carried out on firms’ IT
infrastructure to defraud or disrupt their
operations through the exploitation of weakness and/or the transmission of
viruses and malicious software (MalWare) via the internet or e-mails.
Background
The majority of attacks target the external-facing technology infrastructure
which makes regulated entities internet-facing IT systems at higher risk of
cyber attacks. There remains a significant risk from the ‘insider attack’.
The FCA recognise that the growing cyber risk presents a significant threat to
our strategic and operational objectives and we are working to leverage the
work being undertaken in response to a recommendation from the UK
Financial Policy Committee to discharge our own regulatory obligations.
2
Conduct Regulation and Cyber
• Consumer Impact – Service Availability
• Market Integrity - Data corruption or manipulation
• Competition - Theft of data; M&A, new products, personal data
3
Cyber – Coordination with other bodies
UK Government and Cyber Agencies
BIS
Cabinet Office
GCHQ
National Crime
Agency
CERT UK
CPNI
Government cyber initiatives: UK Cyber Strategy, BIS 10 Steps to Cyber Security, Cyber Essentials Scheme
Her Majesty's Treasury (HMT)
Recommendations
BoE
PRA
FPC
MID
Recommendations
Recommendations
CMORG*
Directors Sub
Group
Resilience and Cyber Sub Groups
4
FCA
(Bank of England Committee)
PSR
* Cross Markets Operational Resilience Group
UK regulatory cyber work to date
“HM Treasury, working with the relevant Government
agencies, the PRA, the Bank’s financial market infrastructure
supervisors and the FCA should work with the core UK financial
system and its infrastructure to put in place a programme of
work to improve and test resilience to cyber attack.”
 36 in-scope firms identified as the “core of the UK financial system”.
Predominantly Critical National Infrastructures including Retail Banking,
Investment Banking, Insurance, Exchanges and Clearing Houses
 Objectives:




5
Enhance understanding of finance sector threat
Improve the sharing of information
Strengthen work to assess the sector’s current resilience to cyber attack
Develop plans to test sector resilience
Develop Testing Plans- “CBEST”
6
•
Diagnostic tool developed by the Bank of England, FCA and wider industry to
support the FPC’s cyber recommendation
•
CBEST is a framework to deliver controlled, bespoke, intelligence-led cyber
security tests
•
The tests replicate behaviors of threat actors, assessed by Government and
commercial intelligence providers as posing a genuine threat to financial
institutions
•
Requires interaction with the regulators from the outset – it aims to provide a
transparent testing and reporting mechanism so that the regulators and regulated
can collectively improve their understanding of the threats the system faces and
the extent to which the UK financial sector is vulnerable to those threats
•
CBEST is VOLUNTARY – not mandated. Currently available only to the 36 firms in
scope under the FPC recommendation
Develop Testing Plans- “CBEST”
 Leverage official sector and commercial intelligence on most likely
systemic threats e.g. state sponsored
 Going beyond the BIS 10 steps to include sophisticated and
persistent attack types
 Testing of cyber resilience in key firms and FMIs
 Will provide a holistic assessment of people, process and technology
 Will mimic tactics, techniques and procedures of threat actors
identified through intelligence gathering
 Deliver a sector-wide assessment of resilience (and vulnerability) in
the face of these threats
7
Understanding the Threat
Out-of-scope
e.g. acts of
war
BIS 10
Steps
Organised
Crime /
Hacktivists
Organised
Crime
2
3
1
1
Network
unavailability
Online banking fraud
8
Nation
state /
Espionage
9
Nation
state /
Hacktivists
Medium
1
Data deletion
Data corruption 1
System
unavailability
Nation
state /
Sponsored
actor
0-day
Hacktivists
Data exfiltration &
Espionage
4 5
7
Application layer volumetric attacks
Espionage /
Organised
Crime /
Hacktivists
Data exfiltration 6
Nation
state /
Hacktivists
Website defacement 9
Volumetric network attacks7
Defence maturity
Impacts
Customer impact
System impact
1 Operational disruption
2
3
8
Nation
state /
Sponsored
actor
10
4 Loss of IP
5 Market sensitive data
Loss of data
Lower confidence in
6 Disclosure of customer
accuracy of information
data
Web services
unavailable
8 Financial loss
7
9 Brand impact
10
Disclosed staff
credentials and
data theft
Source: Bank of England
FPC in
scope
Corporate staff information and PC compromise
Low
Attack Complexity
High
Very high
Neg-day
What have UK Authorities found?
High level findings, following a comprehensive thematic assessment
by the FCA and the Bank of England, are:
9
•
Cyber undermines existing operational resilience arrangements.
•
Testing of cyber for people, processes and technology is still
immature.
•
Business Engagement and Strategic Planning
& influencing for cyber varies widely.
•
Firm scale and resources impact effective
risk management.
What have UK Authorities found?
10
•
Articulating target states of cyber maturity is a challenge.
•
Cyber investment is technology
centric.
•
There is generally a low capability to
effectively detect cyber attacks and
identify threats.
•
Oversight of third party suppliers
and the supply-chain is immature.
•
Challenge from the third line of
defence is limited.
What do the UK regulators want to see?
 Cyber Governance arrangements
(Mission, Vision, Strategy, Leadership)
 Understanding of dependence on technology
systems and communication networks
 Identification, assessment and mitigation of relevant cyber-security risks
 Threat intelligence capabilities
 Cyber-security incident management capabilities
 Resilience measures to ensure availability of critical processes
 Measures to prevent, detect and minimise social engineering attacks
 Independent assurance to assess adequacy of cyber-security measures
LEAD
11
IDENTIFY PROTECT DETECT RESPOND RECOVER LEARN
QUESTIONS?
12