A new framework that will help identify areas where the financial sector could be vulnerable to sophisticated cyber-attack was formally launched by Andrew Gracie, executive director, Resolution at the Bank of England, in a speech at the British Bankers’ Association on Tuesday.
The new framework, known as CBEST, is part of the UK’s central bank’s response to the Financial Policy Committee’s recommendation to test and improve resilience to cyber-attack. Using intelligence from Government and accredited commercial providers, CBEST identifies potential attackers to a particular financial institution. The framework then replicates the techniques used by the potential attackers in order to test the level of success in penetrating the defences of the financial organisation. When the test is completed, workshops will be provided for the company to look at the results with the testers and supervisors.
CBEST will provide access to considered and consistent cyber threat intelligence that is ethically and legally sourced from organisations that have been assessed against rigorous standards; access to knowledgeable, skilled and competent cyber threat intelligence analysts who have a detailed understanding of the financial services sector; realistic penetration tests that replicate sophisticated, current attacks based on current and targeted cyber threat intelligence; standard key performance indicators that can be used to assess the maturity of the organisation’s ability to detect and respond to cyber-attacks; and access to benchmark information that can be used to assess other parts of the financial services industry.
According to the Bank of England, this combination of intelligence, analysis and testing will enable financial companies to understand vulnerable areas in their operations and be better prepared to put remediation plans in place. With the provision of specific cyber threat intelligence, the tests replicate the evolving threat landscape and will remain relevant.
CBEST differs from other security testing currently undertaken by the financial services sector because it uses real threat intelligence and focuses on the more sophisticated and persistent attacks on critical systems and essential services.
The implementation of CBEST is expected to provide the boards of financial firms, infrastructure providers and regulators with an improved perception of the types of cyber-attack that could undermine the UK’s financial stability, as well as the level of vulnerability to cyber-attacks in the British financial sector. The framework will also improve the level of understanding of the effectiveness of detection and recovery for financial organisations.
When announcing the launch of CBEST, Gracie stated: “The idea of CBEST is to bring together the best available threat intelligence from government and elsewhere, tailored to the business model and operations of individual firms, to be delivered in live tests, within a controlled testing environment. The results should provide a direct readout on a firm’s capability to withstand cyber-attacks that on the basis of current intelligence have the most potential, combining probability and impact, to have an adverse impact on financial stability.”
In addition, the Bank of England disclosed that it has worked to develop new accreditation standards with the Council for Registered Ethical Security Testers (CREST), a not-for-profit organisation that represents the technical information security industry, along with Digital Shadows, a cyber-intelligence company. Commercial cyber intelligence providers will now be subject to accreditation standards which are bound by enforceable codes of conduct and supported by a range of CBEST documents on security testing and cyber threat intelligence.