Regulators are playing an important role in how banks guard against cyber risks, but their emphasis is very much on guidance and co-operation rather than rules and coercion.

Banks and other financial institutions are in the frontline of the cyber war. They are under constant attack from hackers, internet fraudsters, organised criminal gangs and unfriendly foreign governments among others, and have suffered numerous high-profile security breaches, denial-of-service incidents, data thefts and financial losses.

The defensive measures deployed by banks are becoming more sophisticated, as was outlined in The Banker’s cover story in September. They are working increasingly closely with each other through industry associations, not only to deter and detect the threats, but to mitigate the consequences of successful attacks.

Banking supervisors and regulators, along with other public sector bodies, are also getting involved. They want to ensure that cyber security in the banking system is effective – not only within banks, but within the infrastructure that banks use, such as payment clearing and settlement systems, card networks, securities exchanges, central securities depositories, central counterparties and other critical third-party service providers.

Supervisors want to know that banks have adequate security in place and, in the face of attack, can demonstrate high levels of resilience, because any deficiencies in this area could put consumers and businesses at risk and threaten the stability of the financial system.

Bank of England action

What the Bank of England is doing is a case in point. In May 2014 it launched CBest, a framework to test and improve the resilience of banks, insurers and other financial firms, infrastructure providers and financial regulators to cyber attacks. It has been developed in conjunction with the Council for Registered Ethical Security Testers (Crest), hence the name CBest, though it is not actually an abbreviation of anything.

Its use by firms is voluntary, but so far take-up has been good. “In rolling out CBest, we are working closely with a number of entities across the sector and several are at an advanced stage,” says Andrew Gracie, executive director of resolution at the Bank of England. “I cannot share specific names, or testing dates, but we expect to have the first results early next year."

“At a recent meeting with industry chief risk officers, we discussed the importance of CBest and heard from a number of chief risk officers [CROs] whose firms are engaged with CBest – it was important for other CROs to hear the benefits of participation.”

At the moment the Bank of England is unable to quantify the scale of the cyber threat. “That, ultimately, is why we need CBest, which should put us in a better place to quantify the threat and consider the best way to address it,” says Mr Gracie. “But even when we are further down the line, I should note that the nature of the cyber threat is constantly adapting and evolving. Cyber defence as a result has become not a matter of designing a hard perimeter that can repel attacks but detecting where networks have been penetrated and responding effectively where this occurs. As it evolves, cyber is elusive, challenging to define and to measure.”

In a separate initiative, the Bank of England, along with the Securities Industry Business Continuity Management Group, organised the Waking Shark II exercise in November 2013 to test the response of the UK's wholesale banking sector to “a sustained and intensive cyber attack”. It demonstrated that some banks are not aware of the requirement to notify the regulators of significant cyber attacks.

FCA requirements

Although the Bank of England’s high-profile exercises are voluntary, there have long been regulations in place that make it incumbent on banks to have adequate security in place. Section SYSC 3.1 Systems and Controls in the Financial Conduct Authority’s (FCA) handbook states: “A firm must take reasonable care to maintain such systems and controls as are appropriate to its business." Section SYSC 3.2.6 goes on to make it clear that these systems and controls must counter “the risk that the firm might be used to further financial crime”; and the FCA’s definition of financial crime, spelt out in its handbook Financial Crime: a Guide for Firms, includes cyber crime.

“In terms of the requirements we place on the 35,000 firms we regulate, we need them to have good security standards and robust technology,” says Christopher Woolard, the FCA’s director of policy, risk and research. “The FCA does not operate alone, but with a number of agencies with distinct roles to play, such as the Bank of England and law enforcement. But we have a leading role as the regulator of firms on the frontline.

“Our main interest is how we get the right outcomes for both market integrity and consumers. When there are cyber-type incidents, what we are worried about is the impact on consumers and how the entities we regulate take steps to avoid any serious impact on them.”

The European dimension

The three European supervisory authorities – the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority and the European Securities and Markets Authority – have also been active. In April they published a joint report entitled 'Risks and vulnerabilities in the EU financial system'. The section focusing upon 'operational risk from IT' noted that financial institutions are being “hit by cyber incidents more frequently”.

It recommended that “supervisors should factor the mitigation of cyber and IT risks into regular practices and risk assessments, and institutions should strive to integrate IT security and cyber resilience in the risk models they apply". It added: "Cyber and IT risks should be regarded as important components of operational risks, and institutions should consider holding capital against them."

The EBA is also collaborating with the European Central Bank (ECB) to make retail payments safer through the use of technical work developed by the European Forum for the Security of Retail Payments (SecuRe Pay). The EBA published a consultation paper in October on draft guidelines on the security of internet payments, based on the SecuRe Pay recommendations.

“Cyber criminals are no longer focused solely on attacks against users to gain access to personal information but increasing attention is applied to the service providers,” notes the paper. “The increased number of security incidents causes problems for payment institutions, consumers, merchants and regulators alike.”

Dirk Haubrich, head of consumer protection and financial innovation at the EBA, says: “The EBA is working closely with the ECB on payment security not because of a particular past or anticipated future threat, but because of a continued and well-documented increase in payment fraud in recent years.

“The payment supervisors and oversight authorities across Europe have agreed that enhanced requirements are required to address this issue and the EBA guidelines will ensure a consistent implementation of these guidelines across Europe by August 1, 2015. The EBA guidelines on the security of internet payments is only a first step, and the EBA and ECB are currently working on additional security requirements for other payment methods. These will be published for consultation.”

The EU strategy

Cyber security is one of many priorities under the European Commission’s Digital Agenda for Europe. Action 124 of the agenda created the EU Cyber Security Strategy, while Actions 28 and 123 have resulted in the Network Information Security (NIS) Directive, which comes into effect in 2015.

The directive will require “critical infrastructure operators” such as e-commerce platforms, energy companies and banks to ensure they have secure and trustworthy digital environments throughout Europe. This includes adopting risk management practices and reporting major security incidents to the authorities and customers.

The commission has also proposed the Data Protection Regulation, which will replace the existing Data Protection Directive in 2015. Its main thrust is to establish one law for data protection across Europe, replacing a patchwork of national laws. The cyber security dimension is that it will require companies, including banks, to report data breaches to the authorities, complementing the NIS Directive requirement.

One of the official organisations helping banks to fathom out how the directive, the regulation and other measures will affect them is the EU Agency for Network and Information Security (Enisa). “We work closely with the private sector to help it turn EU policy and strategy in this area into something that works in the real world and costs a reasonable amount of money and a reasonable amount of resources,” says Steve Purser, head of core operations at the agency.

“We helped set up the Financial Institutes – Information Sharing and Analysis Centre (FI-ISAC) in 2008, which is modelled on the US’s FS-ISAC. The centre allows financial institutions to exchange information on things such as vulnerability, technology trends and threats. We hosted its 12th meeting in Athens in April 2014. Its members include banks, the ECB, national computer emergency response teams and law enforcement agencies such as Europol."

In October, Enisa ran a day-long exercise in 29 countries for more than 200 organisations, including banks, to test their readiness to counter cyber attacks. Called Cyber Europe 2014, it was the largest and most complex such exercise ever organised in Europe, simulating more than 2000 cyber incidents, including denial-of-service attacks on online services, website defacements and attacks on critical infrastructure.

Meanwhile in the US…

On the other side of the Atlantic, financial institutions and other critical infrastructure companies are adopting the standards and guidelines outlined in the National Institute of Standards and Technology's Framework for Improving Critical Infrastructure Cybersecurity, published in February 2014. They are also following other official initiatives such as Department of Homeland Security’s Critical Infrastructure Cyber Community C3Voluntary Program and its National Infrastructure Protection Plan.

As for the financial services sector specifically, the Office of the Comptroller (OCC), the Federal Financial Institutions Examinations Council (FFIEC) and other regulatory bodies have been working overtime on improving cyber security in the institutions they supervise. “There are few issues more important to me than shoring up the industry’s defences against cyber attacks,” said Thomas Curry, the comptroller, in a recent speech.

The OCC created the new position of senior critical infrastructure officer in 2013, a position held by Valerie Abend. She is also the inaugural chair of the Cybersecurity and Critical Infrastructure Working Group in the FFIEC. “We are concerned about the risks posed by all the various cyber actors to our financial institutions, from nation states, to organised criminals to hactivists,” says Ms Abend.

“Cyber attacks affect all sizes of institutions. Large banks have high public profiles and are therefore subject to a greater number of attacks. Their response needs to be in line with the volume and sophistication of the attacks and they have allocated considerable resources to combat them.

“Smaller institutions generally don’t have same level of resources, which is why the OCC and the FFIEC have been focusing on how we can assist them to address this risk and help them mitigate their potential vulnerabilities.”

The FFIEC hosted a webinar in early 2014 on the need for cyber security preparedness, targeted mainly at the CEOs of community banks. More than 5000 people registered. Later in the year it ran a cyber security work programme for about 500 community institutions, highlighting what senior managers and boards need to do.

“The FFIEC has a cyber security web page to provide a single point of reference for everything it is doing in this area,” says Ms Abend. “For example, it has published a number of interagency statements highlighting wide-scale vulnerabilities, such as Shellshock, and before that Heartbleed. It has put out statements on potential distributed denial-of-service attacks and ATM cash-outs.”

Compliant and co-operative bankers

Bankers in Europe and the US are receptive to official efforts to get them to beef up security. “We recognise that the focus of policy-makers and regulators on this subject is clearly increasing and the banking industry sees the benefit in engaging as much as possible with them to help create laws and rules that allow for a proportionate and effective approach to managing cyber risks,” says Matthew Allen, director, financial crime, at the British Bankers’ Association.

“We welcome the thrust of the EU’s NIS Directive and can see the merit in trying to promote a consistent approach to cyber security across Europe. We have called for care in a few areas, particularly around mandatory breach reporting. Since our initial submissions there has been a further examination of the issues so we hope the final rules will reflect our concerns.

“We are monitoring what is happening on a wider international level and engaging with policy-makers and regulators to shape thinking in a constructive manner. For example, we recently visited Singapore and met the monetary authority there which is looking at this in detail.”

In a testimony before the US Senate Committee on Homeland Security and Governmental Affairs in March 2014, Doug Johnson, senior vice-president, payments and cyber security policy, at the American Bankers Association and vice-chairman of the Financial Services Sector Coordinating Council, said the financial sector is unified in its efforts to fight cyber crime and is working effectively with public sector partners to protect the financial system.

“We work collaboratively with government agencies on cyber policy,” Mr Johnson told The Banker. As for supervisors – such as the FFIEC and its inspection of the cyber security practices of 500 community banks – there is a different relationship, but again there is a spirit of co-operation rather than enforcement.

“The FFIEC said the review of these community banks would not culminate in specific findings against institutions, but ‘audits’ that would be used to inform the regulatory process,” says Mr Johnson. “They want to learn about how community banks manage cyber threats and how they respond to incidents.”

It seems that this is one of those comparatively rare cases where regulators and the regulated are in almost total agreement and are unified in a common cause.

PLEASE ENTER YOUR DETAILS TO WATCH THIS VIDEO

All fields are mandatory

The Banker is a service from the Financial Times. The Financial Times Ltd takes your privacy seriously.

Choose how you want us to contact you.

Invites and Offers from The Banker

Receive exclusive personalised event invitations, carefully curated offers and promotions from The Banker



For more information about how we use your data, please refer to our privacy and cookie policies.

Terms and conditions

Join our community

The Banker on Twitter