cyber resilience simon onyons financial stability – resilience team 1
TRANSCRIPT
1
Cyber Resilience
Simon OnyonsFinancial Stability – Resilience Team
2
What is Cyber Risk?
22
The risk of attacks carried out on firms’ IT infrastructure to defraud or disrupt their operations through the exploitation of weakness and/or the transmission of viruses and malicious software (MalWare) via the internet or e-mails.
The majority of attacks target the external-facing technology infrastructure which makes regulated entities internet-facing IT systems at higher risk of cyber attacks. There remains a significant risk from the ‘insider attack’.
The FCA recognise that the growing cyber risk presents a significant threat to our strategic and operational objectives and we are working to leverage the work being undertaken in response to a recommendation from the UK Financial Policy Committee to discharge our own regulatory obligations.
What are cyber risks?
Background
3
Conduct Regulation and Cyber
• Consumer Impact – Service Availability
• Market Integrity - Data corruption or manipulation
• Competition - Theft of data; M&A, new products, personal data
4
Cyber – Coordination with other bodies
Cabinet Office
Her Majesty's Treasury (HMT)
PRA
FPC(Bank of England Committee)
BoE FCA
CPNI
MIDRecommendations Recommendations
Recommendations
Government cyber initiatives: UK Cyber Strategy, BIS 10 Steps to Cyber Security, Cyber Essentials Scheme
GCHQBIS
CERT UK
UK Government and Cyber Agencies
PSR
National Crime Agency
CMORG*Directors Sub
Group
Resilience and Cyber Sub Groups* Cross Markets Operational Resilience Group
5
UK regulatory cyber work to date
36 in-scope firms identified as the “core of the UK financial system”. Predominantly Critical National Infrastructures including Retail Banking, Investment Banking, Insurance, Exchanges and Clearing Houses
Objectives:
Enhance understanding of finance sector threat Improve the sharing of information Strengthen work to assess the sector’s current resilience to cyber attack Develop plans to test sector resilience
“HM Treasury, working with the relevant Government agencies, the PRA, the Bank’s financial market infrastructure supervisors and the FCA should work with the core UK financial system and
its infrastructure to put in place a programme of work to improve and test resilience to cyber attack.”
6
Develop Testing Plans- “CBEST”• Diagnostic tool developed by the Bank of England, FCA and wider industry to
support the FPC’s cyber recommendation
• CBEST is a framework to deliver controlled, bespoke, intelligence-led cyber security tests
• The tests replicate behaviors of threat actors, assessed by Government and commercial intelligence providers as posing a genuine threat to financial institutions
• Requires interaction with the regulators from the outset – it aims to provide a transparent testing and reporting mechanism so that the regulators and regulated can collectively improve their understanding of the threats the system faces and the extent to which the UK financial sector is vulnerable to those threats
• CBEST is VOLUNTARY – not mandated. Currently available only to the 36 firms in scope under the FPC recommendation
7
Develop Testing Plans- “CBEST” Leverage official sector and commercial intelligence on most likely
systemic threats e.g. state sponsored
Going beyond the BIS 10 steps to include sophisticated and persistent attack types
Testing of cyber resilience in key firms and FMIs
Will provide a holistic assessment of people, process and technology
Will mimic tactics, techniques and procedures of threat actors identified through intelligence gathering
Deliver a sector-wide assessment of resilience (and vulnerability) in the face of these threats
8
Understanding the ThreatA
ttack C
om
ple
xit
y
Low
Med
ium
Hig
hV
ery
hig
h
0-day
Espionage / Organised
Crime / Hacktivists
Organised Crime
Data deletion Data corruption System unavailability
Network unavailabilit
y
Nation state /
Sponsored actor
Data exfiltration & Espionage
Nation state /
Espionage
Data exfiltrationApplication layer volumetric attacks
Volumetric network attacks
Online banking fraud
Website defacement
Corporate staff information and PC compromise
Defence maturityImpacts
1
1 Operational disruption
2 Loss of data
3Lower confidence in accuracy of information
4 Loss of IP
5 Market sensitive data
6 Disclosure of customer data
7 Web services unavailable
8 Financial loss
9 Brand impact
Disclosed staff credentials and data theft
1
2
1 3
1
4 5
6
7
7
8 9
9
10
Neg-day
BIS 10 Steps
FPC in scope
Out-of-scope e.g. acts of war
Nation state /
Hacktivists
Organised Crime /
Hacktivists
Hacktivists
Nation state /
Hacktivists
Customer impact
System impact
Nation state /
Sponsored actor
10
Sou
rce:
Ban
k of
En
gla
nd
9
What have UK Authorities found?High level findings, following a comprehensive thematic assessment by the FCA and the Bank of England, are:
• Cyber undermines existing operational resilience arrangements.
• Testing of cyber for people, processes and technology is still immature.
• Business Engagement and Strategic Planning & influencing for cyber varies widely.
• Firm scale and resources impact effective risk management.
10
What have UK Authorities found?
• Articulating target states of cyber maturity is a challenge.
• Cyber investment is technology centric.
• There is generally a low capability to effectively detect cyber attacks and identify threats.
• Oversight of third party suppliers and the supply-chain is immature.
• Challenge from the third line of defence is limited.
11
What do the UK regulators want to see?
Cyber Governance arrangements (Mission, Vision, Strategy, Leadership)
Understanding of dependence on technology systems and communication networks
Identification, assessment and mitigation of relevant cyber-security risks
Threat intelligence capabilities
Cyber-security incident management capabilities
Resilience measures to ensure availability of critical processes
Measures to prevent, detect and minimise social engineering attacks
Independent assurance to assess adequacy of cyber-security measures
LEAD IDENTIFY PROTECT DETECT RESPOND RECOVER LEARN