Bank of England-backed cyber security war game opens to more companies


Receive free Cyber Security updates

A Bank of England-backed initiative to test the UK financial sector’s cyber defences is opening up to financial services companies of all types and sizes on Monday in the broadest exercise of its type.

Immersive Labs, the cyber security group that is running the test, said 150 companies were initially targeted but the platform would now be available to everything from large banks, asset managers and insurers to small groups with a handful of employees.

Operating remotely from wherever they choose to complete the exercise, senior management teams will confront an evolving calamity that begins with a notification that their systems have been compromised, and spirals into them not being able to access data, communicate with their employees or run their businesses.

The project is overseen by the Cross Market Operational Resilience Group, which is co-chaired by the BoE and industry group UK Finance. It mimics some aspects of war games previously run by the BoE and carried out by banks, exercises that are typically restricted to smaller number of companies and run over a set time. The Immersive Labs version is the first that can be done by companies whenever they choose.

“This is about bringing [war games] exercises to people who might not have been touched by banking sector exercises before . . . The overall sector will be better defended if the whole sector is involved,” the BoE said. It added its role was to encourage participation in the exercise, which was being run by the private sector.

Financial services companies have faced increasingly sophisticated and frequent cyber attacks in recent years, including a 2018 attack that forced seven of the UK’s biggest banks to reduce operations on their systems or shut them down. The Bank of England has separately given financial services companies until March 2022 to deliver detailed plans on how they would handle a cyber attack.

Mohit Sarvaiya, Emea chief information officer for BNY Mellon and one of the operation’s industry sponsors, said companies needed to have a “well-practised response” from all their stakeholders since “increasing sophistication and severity of cyber attacks can debilitate a whole organisation”.

The exercise has already been completed by 15 of the biggest banks operating in the UK. Participants will be able to benchmark themselves against how other organisations handled the various dilemmas.

“Cyber crises are full of ‘wicked problems’ where there is no clear, correct answer,” said James Hadley, chief executive of Immersive Labs. One dilemma, he said, was whether companies should “keep resources focused on prioritising their own recovery, for example monitoring and containing operational impacts, or to divert resources to engage with other organisations and make them aware of the details of the attack”.

“Ultimately, engaging with these stakeholders may stop the attack spreading into the wider sector and into unknown technologies and infrastructure, but it will dilute your own recovery.”

The BoE will not be given any access to the results at individual company level, so they cannot form any part of the BoE’s assessment of how risky groups are.


Source link