The U.K. is currently taking active measures to prepare its financial sector with solutions for dealing with massive cyberattacks. Recently, banks have requested to conform to new guidelines imposed by the U.K.’s Financial Policy Committee (FPC), a government group in charge of monitoring both the Bank of England as well as the economy.
On Oct. 1, the FPC issued an order to British banks stating that they have one year to overhaul existing cyber-defense strategies and come up with a reliable plan to be enacted in the event of an emergency. The order calls for a “concrete plan” to be established by the end of the first quarter of 2014, with drafts to be turned in by the end of 2013 to highlight progress.
Additionally, in November all U.K.-based banks will participate in a comprehensive “war game” in which an extensive cyber threat will be simulated nationally. The test will be overseen by the Treasury, the Financial Conduct Authority and the Bank of England. The attack will also test the resiliency of payment providers, as well as the stock market.
The orders for regulatory oversight in regards to cyber security come amidst recent concerns that the financial IT infrastructure in the U.K. is outdated and incapable of withstanding a real cyberattack. According to a report issued last August by the U.K. trade commission, the country’s financial IT infrastructure is currently “not fit for purpose.”
Part of the reason for the increased scrutiny over cybersecurity in the financial industry has to do with a widespread international push for the reclassification of the term critical infrastructure.
For a long time, the term critical infrastructure has been used to describe the physical components needed to facilitate national security and stability. This infrastructure, which includes components such as highways, power grids and utility systems, are all things which if compromised in any way could lead to widespread damage or loss of life. For example, the bulk electricity system falls under the term critical infrastructure due to its wide-reaching necessity. If such a system were to fail, chaos would ensue.
While the definition of critical infrastructure differs from location to location, the umbrella term is now expanding to include commercial and retail banks and financial institutions. As cyber threats continue to evolve and pose legitimate threats to vulnerable economic systems, many are calling for IT professionals in the financial industry to take quick action and overhaul outdated networks.
Additionally, government agencies are becoming increasingly concerned that protection is no longer a job for IT professionals and instead requires the ongoing presence of government intervention through groups such as the FPC.
One of the most prominent groups in charge of overseeing regulatory oversight in the U.K., the FPC was established under the Banking Act of 2009 for the purpose of reducing internal risks and supporting the government’s financial policies. The FPC is therefore in charge of prudential regulation and systematic infrastructure within the Bank of England.
Across the pond, the same type of financial oversight exists in the U.S. under the direction of the Federal Financial Institutions Examination Council (FFIEC). Established in 1979, the FFIEC is designed to issue uniform standards as well as report forms related to the federal examination of the following agencies:
- Board of Governors of the Federal Reserve System (FRB)
- Federal Deposit Insurance Corporation (FDIC)
- National Credit Union Administration (NCUA)
- Office of the Comptroller of the Currency (OCC)
- The Consumer Financial Protection Bureau (CFPB)
Additionally, the Payment Card Industry Data Security Council (PCI DSS) is another U.S.-based agency worth noting that works to establish necessary standards for protecting digital information when it is stored in private databases. Through the use of strong authentication factors, encryption services and content-monitoring, PCI DSS compliance is a crucial part of ensuring that once data is stored, it remains there until an authorized user extracts it for necessary use.