Financial institutions are now so likely to suffer a cyberattack that the question is no longer a case of ‘if’, but ‘when’. It might be a cute axiom, but it is one that gains more traction by the day, Paul Williams explains.

In his role as the Bank of England’s (BoE) senior technical adviser for operational risk and resilience, Williams has witnessed rising levels of concern about cyber breaches. Indeed, the BoE’s recent risk survey, conducted earlier in 2020, revealed that 62% of UK financial institutions cite cybersecurity as a major source of risk – up from 51% reported a year earlier.

Often, the discussion around cyber resilience is framed in terms of institutional culture, by which it is implied the onus is on banks and their boards to demonstrate they have the right protocols in place to protect themselves. For Williams, however, they first need to have an entrenched understanding of the matter at hand.

“It’s easy to get distracted by the word ‘threat’, as it’s a headline generator. So, while we want companies to be aware of the threats… there is actually a limited amount that companies can do to manage it. What they can do is manage their vulnerabilities to that threat much more effectively.”

62%

UK financial institutions that cite cybersecurity as a key source of risk in 2020.

Bank of England

“The historic risk management mindset, which leans heavily on a calculation of likelihood and impact to determine what you’re going to mitigate against, can struggle with a risk that has near certainty,” he explains. “I wouldn’t describe this as a cultural issue. I would say it was an understanding issue. But we are seeing that boards are increasingly focused on improving levels of awareness.”

Beyond the threats

Williams cites the BoE’s CBEST assurance framework – based around threat intelligence-led testing of cyber resilience – as a service aimed at helping companies identify what improvements they need to make. However, according to Williams, the word ‘threat’ – often found in alarmist straplines in the media – isn’t always helpful for companies.

“It’s easy to get distracted by the word ‘threat’, as it’s a headline generator,” he says. “So, while we want companies to be aware of the threats – and our CBEST programme absolutely uses threat intelligence to inform its framework – there is actually a limited amount that companies can do to manage it.

“What they can do is manage their exposure to that threat much more effectively. The focus of our work is encouraging companies and boards to make sure they understand their vulnerabilities to the key threats they face and ensuring they make the right remediation in those areas.”

Williams also points to the work conducted by the BoE’s Financial Policy Committee (FPC), which is charged with identifying, monitoring and taking action to remove or reduce systemic risks throughout the UK’s financial system. The FPC, he explains, “has been consistently reporting on cyber risks since 2013”, promoting the requisite understanding to facilitate sector-wide resilience against cyberattacks.

“The FPC has a systemic risk perspective, compared with the firm-specific mindset that companies will be taking,” explains Williams. “In many ways, the approach is the same – the FPC also aims to identify vulnerabilities and ensure that suitable defences are in place. In 2017 the committee set out a framework to strengthen the resilience of the UK financial system against cyber risk.”

“The financial system is large and complex. You can’t simplify that system, but you can simplify the way you look at it, with a view to protecting the things you care about the most.”

Similarly, the BoE’s Prudential Regulation Authority (PRA) has become more focused on strengthening the operational resilience of systematically important banks – which includes protecting them against cyberattacks. But, in ensuring the alignment of public and private interest, in the context of cyber resilience, does the BoE have somewhat of a dual role in motivating and regulating banks? “Yes, I think that’s probably right,” says Williams.

Get your house in order

The cybersecurity market may have grown in recent years, but it remains comparatively narrow. According to Williams, companies may well be able to utilise the services offered by “niche providers”, but the responsibility for heading off threats ultimately begins closer to home.

“The primary responsibility for managing the services that companies provide sits with the company themselves,” he says. “That means that companies need to ensure that, if they are using a third party, it can continue to provide the service that the company needs when it needs it.

“If companies become aware that there’s a concentration risk potentially in that area, then they should be the first line of defence in making sure they understand where those limitations are.”

So, with financial institutions using a small number of cybersecurity providers to protect much of the industry, does that carry a threat of them possessing too much concentrated risk?

“There’s always that danger, yes,” answers Williams. “But that’s for companies to manage in the first instance. They need to make sure, through the lens of business services, that they understand how they assure those business service outcomes, taking into account all of the risks that might be present and need to be dealt with.”

Bounce back

In its June 2018 Financial Stability Report, the FPC revealed plans to introduce stress testing and an “impact tolerance” for the length of any period of disruption to the delivery of “vital services” provided by the financial sector. This will see the BoE seeking input from the National Cybersecurity Centre (NCSC) and launching a pilot exercise, with the aim of testing how quickly companies can recover from a cyberattack. The BoE and the NCSC are no strangers to each other, having worked closely alongside each other since the latter’s inception in 2016.

“Staff are fully engaged with the NCSC through financial services industry forums,” says Williams. “We also rely on the NCSC’s technical advice and guidance for vital internal programmes of work. We have been strong supporters of the NCSC from the start, and they are key contributors to the CBEST framework.”

Williams now says that the bank is gearing up to engage with companies and financial market infrastructures “to learn more about how companies set and test their own tolerances”.

“The FPC is establishing its tolerance for the length of any period of disruption to the delivery of vital services that the financial system provides to the economy,” he continues. “Working with others, as well as the NCSC, the BoE will test whether companies would be able to meet these expectations for recovering services within this tolerance, under the scenario set by the FPC. This stress-testing approach will be developed by the BoE and the PRA. The particular incident modelled and the economic activities tested will likely vary from test to test, once the pilot has proved the approach works.”

Ultimately, it will be up to the financial institutions to ensure their own protection. Much of the debate around the best means of fostering cyber resilience involves companies selecting either reaction or resistance. But, as Williams points out, this is a false dilemma; in fact, they need to incorporate both approaches.

“This is something that is also set out in our recent discussion paper,” he says. “Banks need to plan on the basis that disruption is inevitable. This shifts the mindset beyond traditional risk management, to thinking about what the impact of failure could be on their business and how they could better manage that. This needs to include a react and resist approach.”

If Williams were to place himself in the shoes of a board member of a bank looking to erect a bulwark against nefarious cyber activity, how would he begin to set such a protective strategy in motion? “The financial system is large and complex,” he answers. “You can’t simplify that system, but you can simplify the way you look at it, with a view to protecting the things you care about the most.”