Please note that this is a page from a previous version of Continuity Central and is no longer being updated.

To see the latest business continuity news, jobs and information click here.

Business continuity information

Bank of England launches CBEST framework to test and improve financial sector cyber resilience

In a speech at the British Bankers’ Association, Andrew Gracie, Executive Director, Resolution, at the Bank of England, formally launched a new framework to help identify areas where the financial sector could be vulnerable to sophisticated cyber attack. This is part of the Bank of England’s response to the Financial Policy Committee’s recommendation to test and improve resilience to cyber attacks.

The new framework called CBEST uses intelligence from Government and accredited commercial providers to identify potential attackers to a particular financial institution. It then replicates the techniques these potential attackers use in order to test the extent to which they may be successful in penetrating the defences of the institution. On completion of the test there will be workshops for the firm to work through the results with the testers and supervisors.

CBEST provides the following:

  • Access to considered and consistent cyber threat intelligence, ethically and legally sourced from organizations that have been assessed against rigorous standards;
  • Access to knowledgeable, skilled and competent cyber threat intelligence analysts who have a detailed understanding of the financial services sector;
  • Realistic penetration tests that replicate sophisticated, current attacks based on current and targeted cyber threat intelligence;
  • Standard key performance indicators that can be used to assess the maturity of the organization’s ability to detect and respond to cyber attacks; and
  • Access to benchmark information that can be used to assess other parts of the financial services industry.

The combination of these will allow a firm to understand where they are vulnerable. They will then be better prepared to implement remediation plans. The inclusion of specific cyber threat intelligence will ensure that the tests replicate, as closely as possible, the evolving threat landscape and therefore will remain relevant.

CBEST differs from other security testing currently undertaken by the financial services sector because it uses real threat intelligence and focuses on the more sophisticated and persistent attacks on critical systems and essential services.

The implementation of CBEST will help the boards of financial firms, infrastructure providers and regulators to improve their understanding of the types of cyber attack that could undermine financial stability in the UK, the extent to which the UK financial sector is vulnerable to those attacks and how effective the detection and recovery processes are.

In his speech, Andrew Gracie said: “The idea of CBEST is to bring together the best available threat intelligence from government and elsewhere, tailored to the business model and operations of individual firms, to be delivered in live tests, within a controlled testing environment. The results should provide a direct readout on a firm’s capability to withstand cyber attacks that on the basis of current intelligence have the most potential, combining probability and impact, to have an adverse impact on financial stability.”

The Bank of England has worked with the Council for Registered Ethical Security Testers (CREST), a not-for-profit organization that represents the technical information security industry and Digital Shadows, a cyber-intelligence company, to develop new accreditation standards.

“Although existing penetration testing services in the financial services sector have provided a good level of assurance against traditional attacks, they do not address more sophisticated cyber attacks on critical assets,” said Ian Glover, president of CREST. “CBEST tests have been designed to replicate the behaviours of serious threat actors, assessed by Government and commercial intelligence providers as posing a genuine threat to important financial institutions.”

“For the first time CREST requires commercial intelligence providers to be accredited. This ensures financial services and infrastructures providers have access to detailed, considered and consistent cyber threat intelligence that has been ethically and legally sourced,” explains Glover. “Through the CBEST framework, security testers and threat intelligence providers will work together to replicate real attacks from sophisticated adversaries. Both the companies providing CBEST services and those qualified to conduct the tests are bound by strict and enforceable codes of conduct administered by CREST.”

•Date: 11th June 2014 • UK •Type: Article • Topic: ISM

Business Continuity Newsletter Sign up for Continuity Briefing, our weekly roundup of business continuity news. For news as it happens, subscribe to Continuity Central on Twitter.

How to advertise How to advertise on Continuity Central.

To submit news stories to Continuity Central, e-mail the editor.

Want an RSS newsfeed for your website? Click here