The 'CBEST' framework has been launched by the Bank of England which said that it would use real intelligence gathered about cyber threats to inform testing of bank systems. The framework is voluntary and has been in operation in the financial services industry since May.
"The new framework called CBEST uses intelligence from government and accredited commercial providers to identify potential attackers to a particular financial institution," the Bank said in a statement. "It then replicates the techniques these potential attackers use in order to test the extent to which they may be successful in penetrating the defences of the institution. On completion of the test there will be workshops for the firm to work through the results with the testers and supervisors."
The CBEST framework will help board executives, IT providers and regulators to gain a better understanding of the kind of cyber attacks that could "undermine financial stability in the UK" as well as "the extent to which the UK financial sector is vulnerable to those attacks and how effective the detection and recovery processes are", the Bank said.
The Bank of England's role is to ensure that there is operational resilience within the financial services sector (5-page / 62KB PDF), the regulator's executive director of resolution Andrew Gracie said in a speech on Tuesday.
"The idea of CBEST is to bring together the best available threat intelligence from government and elsewhere, tailored to the business model and operations of individual firms, to be delivered in live tests, within a controlled testing environment," Gracie said. "The results should provide a direct readout on a firm’s capability to withstand cyber-attacks that on the basis of current intelligence have the most potential, combining probability and impact, to have an adverse impact on financial stability."
"Unlike physical attacks, which are likely to be localised, the impact of a successful cyber attack on the financial system as a whole is potentially more serious from a financial stability point of view," he said.
Gracie said that prescribing standards on how financial institutions should address cyber risks would be wrong and that the Bank of England instead would "take a systemic, risk-sensitive, intelligence-based view as to what good practice looks like in relation to cyber". He said the regulator would "take action" if financial institutions were inadequately prepared to deal with cyber threats.
"Just as the threat evolves and adapts, so will our expectations," Gracie said. "Continued dialogue between the Bank and industry will be essential to ensure that these expectations are clear. Given the cyber threat transcends borders, we will also need to work with international counterparts, to ensure that any expectations are clear and coordinated from a global perspective."