The Bank of England has launched a new framework that aims to test for cyber vulnerabilities across the financial sector.
Speaking at the British Bankers’ Association yesterday, the Bank’s executive director Andrew Gracie introduced the new system in response to a recommendation from the Financial Policy Committee to improve resilience against cyber-attack.
The new framework, named CBEST, uses government intelligence and accredited commercial providers to help recognise potential attackers to specific financial institutions.
The techniques these hackers may use are then replicated to test how successful such attempts may be in breaching any defences an organisation may have in place.
When these tests are completed, a financial institution will be able to hold workshops to explore the results with testers and supervisors.
“The idea of CBEST is to bring together the best available threat intelligence from government and elsewhere, tailored to the business model and operations of individual firms, to be delivered in live tests, within a controlled testing environment,” claimed Gracie.
“The result should provide a direct readout on a firm’s capability to withstand cyber-attacks that on the basis of current intelligence have the most potential, combining probability and impact, to have an adverse impact on financial stability,” he added.
According to the Bank of England, CBEST is different from similar frameworks because it uses real threat intelligence, focusing on more sophisticated and persistent attacks on critical systems and essential services.
It claims the combination of specific cyber threat intelligence, skilled analysts, realistic penetration tests, standard key performance indicators and access to benchmark information will help financial firms truly understand an evolving threat landscape.
To develop CBEST, the Bank of England worked with the Council for Registered Ethical Security Testers (CREST), a not-for-profit representing the technical information security industry.