UK banks told to show their backup plans for tech shutdowns

This morning, Reuters reported that British banks and other financial services will have 3 months to explain how they can avoid damaging IT breakdowns and respond to the growing threat of cyberattacks.

Some thoughts from security experts that you might find useful:

Sean Newman, director at Corero Network Security:

“The latest, June 2018, Financial Stability Report from the Bank of England’s Financial Policy Committee (FPC), who’s key objective is to protect and enhance the resilience of the UK financial system, has a focus on establishing standards for resilience to cyber risks.

“The report reinforces that financial organisations have a “primary responsibility for their ability to resist and recover from cyber incidents”, with responsibility for conformance all the way up to board level, with the levels of cyber resilience expected being based on the judgement of independent experts, such as the National Cyber Security Centre.  And, although there is a suggestion that two days is an acceptable limit for disruption to a service, this is caveated by the fact that there is also a strong emphasis on cyberattack protection, to avoid the need to recover in the first place.

“As we have seen over recent quarters, the banking sector as a whole is vulnerable to cyber threats and, when it comes to service disruption, Distributed Denial of Service (DDoS) attacks are often the tool of choice for cyber criminals.  As with any organisation which relies on its online business, the ability to maintain service availability in the face of a DDoS onslaught should now be high on the list of priorities.  For those who are taking the lead on this, the latest generation of DDoS protection solutions are able to react in real-time, automatically, and avoid any periods of downtime, ensuring customers can still use their services, uninterrupted, at all times before, during, and after, an attack.”

Dan Pitman, senior solutions architect at Alert Logic:

“This is good news. The concepts of disaster recovery, cyber threats, business (revenue) continuity, etc are intrinsically linked through business risk, but too often considered separate by businesses. Banks and other financial services underpin our economy and enable the public and businesses to operate. They have a duty to ensure that disruption from any source, be it technological, process based or malicious, is planned for and demonstrable to customers, partners and governing organisations.”

Please let me know if you’d like to arrange a telephone interview or an email Q&A with Sean or Dan.