Managing cyber risks and operational resilience for banks and financial services organisations

Cybersecurity and operational resilience in financial services

Carlison Morris, Partner at MHA discusses the issues raised regarding cyber security in a recent speech given by Elizabeth Stheeman, an external member of the Financial Policy Committee (FPC) of the Bank of England on the 18^{th of} October 2023

The risk of cyber attacks is an ever present and growing threat to banks and other financial services organisations, so much so that the issue has and continues to be a priority on the FPC’s agenda. Furthermore, this priority is reflected amongst banks and other financial services organisations’ operational concerns as reported in the latest Systemic Risk Survey carried out by the Bank of England where 80% of respondents cited cyber risk, replacing geopolitical risk as the number one concern.

The financial services sector is of course not alone in confronting the risk posed by cyber security threats and the UK’s National Cyber Security Centre (NCSC) has noted that several state actors present an ongoing and growing cyber security threat with the use of Ransomware being one of the most acute cyber-related threats faced by UK businesses in general, together with less sophisticated methods of cybercrime.

Given issues of risk around systemic failure and national and global ‘Systemically Important Banks’ (SIBs), strengthening systems regarding cyber security must be a top priority. Indeed, Elizabeth Stheeman cited the infrastructure that supports operations and its ability to withstand cyber threats as one of the key learning points to come out of the 2008 financial crisis where global systemic failure became a real and tangible concern, albeit not one that at the time was borne out of cyber risk. With this systemic theme in mind, the potential ‘knock-on’ effects of a cyber attack on areas such as liquidity, financial loss and significant price moves could impact markets, financial institutions and payment systems.

How do banks and other financial services organisations demonstrate that they can withstand a cyber-attack?

In the context of systemic risk, banks and other financial services organisations need to demonstrate that they have the ability to detect, prevent or withstand cyber-attacks and the Bank of England and the PRA’s own ‘CBEST’ tests are designed to gauge such abilities. There is also a cross-market operational resilience group that has been formed to foster collaboration which includes the ‘SIMEX’ simulation to measure collective response and recovery capability. One of the points that the FPC has made is that organisations need to commit to a baseline of performance around timing for making critical payments following a severe cyber incident and to commit to regular testing.

What were the findings from the Financial Policy Committee 2022 Cyber Stress Test? 

At this point, it is informative to examine the most recent cyber stress test carried out by the FPC in 2022 which focused on a disruption to retail payments, a particularly important aspect of the wider monetary system given the trend towards cashless transactions in recent years and a decline in retail bank branches. The test assumed that a fairly significant data breach had taken place and what is known as ‘Impact Tolerance’ was measured, which is the maximum level of disruption that can be tolerated in a business service, payment processing for example. The test was carried out amongst several volunteer firms that could be described as systemically important and it also included several smaller firms to replicate how a cyber attack might spread via multiple different channels.

Key learning points for banks and other financial services organisations in reducing cyber risk

As you might guess, these included contingency planning, preparing mitigating actions and wider co-ordination across the market and supply chain. Although it is an obvious point, it is essential that contingency plans are already in place and rehearsed, hence in the case of the test exercise for example, there needed to be re-routing of payments via alternative channels. It was also clear that clean data was required to allow for the reconciliation and rerouting of payments. Consequently, tried and tested tools and scripts to help automate data reconciliation need to be readily available and on an appropriate scale. The FPC also highlighted the need to identify and prioritise critical payments where wider financial stability was concerned as well as the ongoing and routine nature of stress testing and building in of ‘safety nets’. Moving on to contingency plans that don’t work as planned, the need for mitigating actions was clear. In the context of payment processing, actions that should be available for deployment would include the availability of emergency cash and overdraft extensions to lessen the impact on customers.

Another learning point was again connected with the potential for systemic failure, so this relates to the need for coordination across the wider sector and understanding the consequences of actions on other organisations and the risk of contagion, especially where firms provide critical services to each other. The key point was found to be the need for effective industry-wide and public communication where remedial actions are concerned. The existing Sector Response Framework (developed by the sector’s Cross Market Operational Resilience Group, CMORG) plays an important role in this coordination. The framework provides a good template for both industry and government coordination, especially when applied across the multiple traditional and social communication channels available.

Overall, the 2022 test was considered to have provided an invaluable lesson, less about the ‘don’ts’ and more about the ‘do’s’ where preparation is essential and the need to have multiple mitigation actions available, key to reducing risk levels and contagion. An extremely apposite point was also made by the current Deputy Governor for Financial Stability and Chair of the Bank of England’s Financial Market Infrastructure (FMI) Board, Sir Jon Cunliffe, who noted that ‘operational resilience is not a technical issue, especially for the infrastructure firms that need to act as ‘systemic risk managers’. ‘It must begin in the boardroom.’