Less than a third of financial institutions deemed “critical” to the UK economy have run the new Bank-approved cyber security “war games”, according to Bank of England Governor Mark Carney.
Carney said 11 out of the 35 institution the Bank of England sees as “critical” to the economy have done cyber security testing under the Bank’s CBEST framework, while appearing before the Treasury Select Committee in Parliament on Tuesday.
CBEST, launched last year by the Bank of England, is a set of guidelines and bespoke tests for banks to see how vulnerable they are to cyber attacks. So-called “white hat” ethical hackers try and break into banks computer systems, reporting any flaws or security gaps they find.
Carney said CBEST was relatively cheap for companies, saying it cost just £150,000 to implement. He didn’t elaborate on how exactly this breaks down.
The Bank of England Governor said he isn’t worried about the level of uptake of CBEST testing though, as many of those who haven’t run the tests are foreign companies who may be working with other regulators on cyber security. He added: “The importance of cyber risk is very high, as high as it’s ever been.”
The Bank of England listed the initiatives as success, claiming the most recent Waking Shark tests helped identify a number of key weaknesses in financial organisations’ cyber defences in February 2014.
The cyber security of nation’s financial systems is becoming an increasingly big issue, with fears that opposing nation states could target banks as a proxy for governments. In 2012, Iran attacked the websites of major US banks, including JPMorgan Chase and Bank of America. JPMorgan was again hacked last year, with suspicions that Russia may have been behind the attack.