Bank of England Sets Up Cyber Attack Test Scheme

Bank, UK government and CREST come together to create better stress tests and improved threat intelligence sharing

The Bank of England today announced a scheme which aims to create better stress tests amongst financial institutions to see whether their ability to cope with super-sophisticated cyber attacks is up to snuff.

The ultimate aim of the programme, called CBEST, is to help prevent attacks that could “undermine financial stability in the UK”, its creators said, whilst promising access to “advanced and detailed cyber threat intelligence”.

Barclays Bank London headquarters © Kiev.Victor ShutterstockCREST, the not-for-profit body representing the technical information security industry, worked with the Bank of England (BoE), Her Majesty’s Treasury and the Financial Conduct Authority to create the CBEST framework.

The Bank of England warned in December that thanks to vulnerabilities in banking infrastructure, the industry could suffer “significant” losses.

Banks to get better at cyber defence?

It’s believed to be the first initiative of its type to be led by any of the world’s central banks and should help financial institutions better prepare for the increasingly dangerous threat landscape, said Andrew Gracie, executive director for resolution at the Bank of England.

“Although existing penetration testing services in the financial services sector have provided a good level of assurance against traditional attacks, they do not address more sophisticated cyber attacks on critical assets,” said Ian Glover, president of CREST.

“CBEST tests have been designed to replicate the behaviours of serious threat actors, assessed by Government and commercial intelligence providers as posing a genuine threat to important financial institutions.”

Any providers that want to join the scheme and help improve banks’ resilience to attacks will have to get CBEST accreditation.

The UK’s top banks had previously come together for a handful of cyber stress tests, most notably in the Waking Shark events that sought to simulate an attack on their communications infrastructure. Whilst deemed a success, some participants said they wanted harder challenges.

CREST recently helped the UK government establish the Cyber Essentials certification scheme, designed to show which organisations have sufficiently protected their infrastructure.

Both Cyber Essentials and CBEST are part of a wider government agenda to boost digital security across the UK, as more criminals move online and the threat from other nation states becomes more severe.

How well do you know network security? Try our quiz and find out!