Andrew Gracie, Executive Director, Resolution, Bank of England, spoke at the Cyber Defence and Network Security conference, London on Cyber Resilence and its impact on financial stability. He argues that cyber is an ever-present threat and firms need to stand ready to manage this risk. And just as cyber has changed the world for firms, it has also changed the landscape for authorities; so they need to adapt their approach to operational resilience of the financial sector as a whole. He outlines two areas of focus for the regulators. First, dialogue with the main industry firms, and second, with their agreement, stress testing and simulations to test response frameworks. Indeed, a joint testing programme between US and UK governments and authorities will start this year. This is because cyber knows no borders and the significant operational inter-linkages between systems cross borders and it reflects the growing dialogue with the US and others as to how best to manage the risk to financial stability from cyber. He also makes three observations:
- Cyber has changed the rules: existing operational resilience arrangements are often geared to dealing with physical threats. These still matter. But cyber changes the game. Cyber is a dynamic, intelligent and adaptive threat. In the cyber arms race, costs are stacked in favour of the attacker, not the defender. To meet the challenge, organisations need to have policies and processes that are dynamic, intelligent and adaptive too. This means investment in capability to identify threats and detect cyber attacks. Without this situational awareness it is hard to determine and achieve appropriate maturity levels for cyber defence and to allocate resources effectively to meet the threat.
- Cyber is not a minority sport for technologists only: Of course the first line of defence is critical and we still need IT specialists who understand the technical challenges cyber presents. But good cyber resilience is about much more than technology. It is about culture too and this means people and processes. All parts of an organisation need to understand cyber risk and their responsibilities towards improved cyber hygiene. This includes Board level engagement. Front line business areas need to understand and own the risk. Management of cyber vulnerabilities needs to feature in strategic planning.
- Cyber requires effective and regular testing: Of people, processes and technology. Industry investment in cyber is significant but testing the effectiveness of this investment has not kept pace. Assurance is often based on audits and control sampling which is not sufficient, not least because of the challenge for internal audit departments to keep pace with change in this area. And of course, given the dynamic nature of the threat, such tests should take place on a regular basis.
Finally, he highlights that firms need to cooperate not compete in this space. With that in mind, the regulators are working with industry to strengthen arrangements for information sharing, reviewing existing forums for tactical information sharing and supplementing them where necessary with arrangements for more strategic information sharing including on good practice.