CBEST aims to improve the understanding of the types of cyber-attack that could undermine financial stability in the UK, and the extent to which the UK financial sector is vulnerable to those attacks
London UK – 10 June 2014: Cyber intelligence company Digital Shadows has been working in tandem with the Bank of England and CREST, to define a framework for developing intelligence-led cyber threat vulnerability tests against financial institutions’ critical systems.
Forming an essential part of the Bank’s cyber security strategy, Andrew Gracie, Executive Director Resolution at the Bank of England has today addressed the British Bankers Association. In his speech at the BBA in London, Mr Gracie warned of the growing and sophisticated nature of cyber-attacks and the steps the Bank of England is taking to support UK banks in their efforts to thwart these attacks.
Key to the Bank of England’s cyber security strategy is CBEST, a new framework – and the first of its type to be led by any of the world’s central banks – to deliver controlled, bespoke, intelligence-led security tests. These tests mimic the actions of groups and individuals who are perceived by Government and commercial threat intelligence suppliers as posing a genuine threat to systemically-important financial institutions within the UK’s Critical National Infrastructure.
The objective of CBEST is to assist the boards of financial firms and infrastructure providers, and regulators to improve their understanding of the types of cyber-attack that could undermine financial stability in the UK, and the extent to which the UK financial sector is vulnerable to those attacks.
James Chappell, Chief Technology Officer at Digital Shadows comments: “Organisations are facing an increase in targeted cyber-attacks committed by adversaries ranging from hackers and hacktivists to criminals and nation states. The goal of these attackers poses a threat to the resilience of the critical economic functions of the UK banking system. These threats have financial, operational, intellectual, confidential or reputational implications.
Chappell continues: “Digital Shadows has worked with the Bank of England to develop the CBEST threat framework and model. This is best viewed as a tool designed to put UK financial sector institutions on the front foot by bringing together best in class suppliers to subject them to as near ‘real life’ as possible threat scenarios. The crucial lessons learned through these tests will ensure they are better prepared should they come under real attack.”
Chappell concludes: “To be effective, CBEST tests must be based on realistic, threat-informed scenarios. The Bank of England is therefore seeking to form partnerships with commercial suppliers of threat intelligence and security testing services to help establish a ‘best practice’ approach to defining and executing the tests. Essentially the threat intelligence service suppliers will provide threat intelligence to security testers, augmented by Government support, who will use it to target their attacks.”
CBEST follows general recommendations of the Financial Policy Committee (FPC) on improving resilience against cyber threats. It is also supported by the Cabinet Office and the objectives of the UK Cyber Strategy objectives (Cabinet Office, 2011), in particular:
- Being more resilient to cyber-attack;
- Enhancing the UK’s cyber security knowledge.
CBEST encompasses the following groups of stakeholders:
- Regulators: governmental authorities bearing official responsibility for the stability of the UK financial system
- Critical financial organisations: financial-sector organisations recognised by CBEST as critical to systemic stability, classified by programme involvement as either “participants” or “non-participants”
- Providers: CBEST-accredited cyber security firms comprising “assessors”, or threat intelligence providers that perform CBEST threat assessments, and “testers”, or penetration testing providers.
Under CBEST these stakeholders will work together to assess cyber threats that pertain to the resiliency of the UK financial system as a whole rather than any single organisation.
NOTES TO EDITORS
About Digital Shadows
Digital Shadows is a UK-based cyber intelligence company that helps clients discover sensitive data exposed through social media, cloud services and mobile devices. It also identifies which hostile groups are targeting its client base.
From its Canary Wharf headquarters, at the centre of London’s financial hub, Digital Shadows serves clients around the world, including some of the world’s largest banks.
For further information please visit www.digitalshadows.com