Bank of England to publish new cyber standards by summer to protect financial system under “almost constant attack”
Britain’s financial system is “under almost constant cyber attack” according to a top Bank of England official, with the regulator planning to introduce new standards for financial firms’ computer security.
Sam Woods, a deputy governor at the Bank, said the the Prudential Regulation Authority (PRA), which he heads, will publish new standards expected of firms.
The new standards could be published before the end of the first half of the year, although the timing has not been finalised.
Read more: BoE tells financial firms: Keep calm and carry on during Brexit transition
Writing in the PRA’s business plan for the next year, Woods said that “setting out clearly the level of operational resilience we expect of firms and how we will make sure it is delivered is a top priority for the PRA”, alongside preparations for leaving the EU. The business plan also provided for the reallocation of resources from “lower risk supervisory activity” to the Brexit preparations.
The UK’s biggest banks, such as Royal Bank of Scotland, Lloyds, and Barclays, are already subject to heightened cyber resilience requirements, particularly with regard to financial risks; the Bank of England will run another cyber resilience test this year.
However, the watchdog believes more needs to be done. Woods added that “nowhere in the world is there an overarching prudential standard for operational resilience”.
Read more: The Bank of England is setting up its own fintech hub
The new standards for banks, insurers and investment firms will increase the PRA’s scrutiny of cyber risks associated with information technology systems, outsourcing, and data outages.
Woods also added that open banking regulations, new this year, “will pose further challenges to existing technologies”, with firms forced to open up their customer data to third parties as long as customers consent.
In September Woods said that regulators’ “emergency” response systems had been triggered six times in the previous 12 months alone, according to Reuters.
He said that the Bank will have three levels of “tolerance” of cyber risks, depending on whether a breach would threaten consumers, firm solvency, or financial stability.
Read more: UK businesses unprepared for cyber attacks