The Bank of England's director of supervisory risk specialists, Nick Strange, said the regulator will draw from the ongoing financial stress testing to pilot cyber stress testing following several serious cyber attacks and IT breakdowns in the past two years.
Strange highlighted the need for financial and operational resilience in light of TSB Banking Group PLC's IT fiasco, recent consumer data breaches at ticketing service Ticketmaster Systems Ltd. and electronics retailer Dixons Carphone PLC in 2018 and sophisticated attacks on banks in India and Mexico.
Companies could manage operational disruptions with strong and well-tested recovery systems to minimize the threat to critical business, Strange said. Cyberrisk was one of the factors, among several affecting financial resilience, that the Bank's Financial Policy Committee focused upon.
Strange said expecting firms to be prepared for the most extreme forms of disruption to services was inefficient but their ability to withstand such scenarios can be tested to "a pre-defined tolerance level ... in severe but plausible scenarios."
Later in 2019, the central bank will work with some firms to test impact tolerance under hypothetical payments system failure. The FPC could consider a data integrity scenario in the future.
There could also be a need for the private or public sector to have their own collective solution, in case the cyber stress testing shows that firms are unable to meet the FPC's planned tolerance for payments systems outage.
Strange also said a private sector initiative already set up in the U.S. called Sheltered Harbor helps protect public confidence in the financial system if a catastrophic event like a cyberattack hits critical systems and backups. The system, which has yet to be tested in a real cyber event, allows companies to place customer data in a centrally maintained vault and restore data using its designated partner for the purpose.