UK banks given a year to create “concrete” anti-cybercrime plans


Financial Policy Committee's meeting minutes reveal pressure on banks to tighten up their IT security strategies.

The UK banking sector has been ordered to draw up “concrete plans” to protect its members from the growing threat of cyber attacks.

According to the minutes of last month’s Financial Policy Committee (FPC) meeting, work to reduce the risk of a successful cyber attack being carried out against a banking firm has been going on for a while.

The consequences of cyber attacks are now so severe that cyber defence must become a board room discussion.

This is because the sector has a number of “potential vulnerabilities” linked to its reliance on a centralised market infrastructure and legacy IT systems, the document states.

 “As the Committee had noted in June, it was important that boards of financial firms and infrastructure providers recognised their responsibility for responding to those threats, which required a combination of continuous vigilance and investment to strengthen operational resilience,” the document reads.

“The PRA [Prudential Regulation Authority], the Bank’s financial infrastructure supervisors and the FCA [Financial Conduct Authority] would reinforce that message as a priority.”

As a follow on, the document recommends steps are taken to ensure each institution “at the core of the financial system” has an action plan in place that will provide it with a high level of protection against cyber attacks.

This includes banks, as well as the firm’s responsible for providing infrastructure services that are central to their operation.

“The Committee encouraged [HM Treasury] and the regulators to ensure that the work to construct these action plans was completed by 2014 Q1, with a progress report to the Committee from the relevant regulatory boards in 2013 Q4,” the document continued.

“As part of that, the Bank would be reviewing its own resilience,” it concluded.

Peter Armstrong, director of the cyber security sector at infosecurity specialist Thales UK, said he was heartened to see the banking sector address this issue at board level.

“The consequences of cyber attacks are now so severe that cyber defence must become a board room discussion where companies explore what measures need to be put into place to ensure they are acting proactively – not reactively,” said Armstrong.

“In order to remain poised to react to this evolving threat landscape, banks must continually assess their defence capabilities and employ best practice cyber maturity models to centre around continuous policy evaluation and adaptation.”