Please note that this is a page from a previous version of Continuity Central and is no longer being updated.

To see the latest business continuity news, jobs and information click here.

Business continuity information

Operation Waking Shark 2 to test UK financial sector’s cyber-security defences and response mechanisms

The Daily Telegraph has reported that a market-wide test of the UK financial sector’s cyber-security defences and response mechanisms will take place in mid-November.

Termed ‘Operation Waking Shark 2’ the test is being jointly managed by the Financial Conduct Authority, Bank of England (BoE) and the Treasury.

The one-day test will simulate the impact of a major cyber-attack on payments and markets systems.

No official announcement or confirmation has been made concerning Operation Waking Shark 2, but this page will be updated when details of the scenario become available.

Comments received by Continuity Central about
Operation Waking Shark 2:

John Yeo, EMEA director at Trustwave:

“It’s great to see financial organizations such as the Bank of England, and the Treasury taking cyber-security so seriously, and in particular that they will be conducting a simulated cyber-attack on payments and markets systems. The Bank of England’s Financial Policy Committee (FPC) has also ordered regulators to come up with ‘action plans’ in the event of a cyber-attack by the first quarter of 2014. However, it is of concern that the FPC feels these need to be ordered in the first place, as one would have expected that all financial institutions should have robust and far-reaching incident response plans already in place.”

Ashley Stephenson, CEO of Corero Network Security:

“The coordinated cyber stress test against UK banks and financial institutions is a welcome step forward in the fight against cyber-crime. In the past year we have seen several publicly visible examples of ‘hacktivists’ bringing down banking websites, but these incidents are just the tip of the iceberg. The new cyber stress test initiative will help to identify areas of weakness within the participating banks IT security infrastructure, allowing them to be better prepared for real attacks.

“We highly commend the Bank of England’s Financial Policy Committee for being proactive and ordering regulators to come up with action plans in the event of a cyber-attack by the first quarter of 2014.

“An important success criterion for these tests when dealing with Denial of Service attacks is that organizations must demonstrate that they can deal with the attack whilst maintaining regular services. The FPC highlights this goal by indicating the Bank of England must ensure it is able to operate if its own systems are attacked. For the most part, recently disclosed attacks against banks have largely been the result of Distributed Denial of Service attacks launched by hacktivist groups, which are publicly visible inconvenience to customers. However, a more significant disruption to critical financial services such as the stock market or the Bank of England from a cyber-attack could have a far wider impact on the industry and country as a whole.”

Barry Shteiman, Director of Cyber Security at Imperva:

“I commend the Bank of England, specifically the Financial Policy Committee (FPC), for this great idea.

“In the past few years, we’ve seen some focused and proactive security programs in the UK. Most notable are some of the contained DDoS mitigation campaigns that test banks’ readiness and business continuity planning exercises, where employees work remotely and the data centre moves to recovery mode to ensure that the business still functions under disaster conditions.

“Having a committee planning security controls, cyber-attack response steps, and a high-level protection plan is an important initiative. This means that the different financial cyber security heads in the UK can join forces to strategically plan how to mitigate potential cyber threats. This is threat intelligence in its most simple and effective way.

“This also means that the government will potentially have a way to regulate and measure the cyber security state based on an educated study of best practices, which will lead to business’s financial information and estates to be secured in a much more focused way.

“This is what the PCI DSS standard has done with credit card companies and clearing houses to lower the risk of a breach. It had an important effect in making sure that every business that wishes to keep credit card information or transact in high volumes, is required to secure itself or be fined.

“But regulatory mandates are not the only reason to see the relevance of this initiative. It shows that the big chiefs have come to a conclusion that the threat is real, growing, and is a risk for the UK financial industry.”

Make a comment.

•Date: 8th October 2013 • UK •Type: Article • Topic: ISM

Business Continuity Newsletter Sign up for Continuity Briefing, our weekly roundup of business continuity news. For news as it happens, subscribe to Continuity Central on Twitter.

How to advertise How to advertise on Continuity Central.

To submit news stories to Continuity Central, e-mail the editor.

Want an RSS newsfeed for your website? Click here