UK Financial Services - Cyber Stress Test

On Friday the Bank of England’s Financial Policy Committee (FPC) published their latest policy summary and record.  As part of the summary, they shared an update on the plans for the next “cyber stress test”.    

For those that aren’t aware, back in 2017, the FPC set out the elements of the framework of regulation to strengthen the resilience of the UK financial system to cyber risk – a key element of this was regular testing by both firms and supervisors to ensure that resilience kept pace with the ever changing threat landscape.  Resilience to cyber risk comprises both the ability to withstand an incident and the ability to restore functioning after an incident (both within a timely manner!).  

A key control within this framework is the regular cyber stress test by the Bank of England to test firms’ ability to meet associated impact tolerances in severe but plausible scenarios.  In Friday’s summary, the FPC confirmed that the next cyber test (in 2022) would involve a scenario where data integrity had been compromised within the end-to-end retail payments chain.  The link below takes you to the summary, and you can find information on the cyber stress test from Page 17 of the report. 

Many firms have already been proactively building “data vaults” to protect the most prized data they hold in an immutable way.  I’m sure next year’s cyber stress test will both focus efforts as firms build out capabilities in this space, but also refine what has already been deployed, along with the regulators approach in this space.