Important strides in cyber security are being made this year as financial authorities around the world are beginning to run increasingly sophisticated cyber attack simulations. The aim is to help them better understand how the financial sector might cope with a large and systemic disruption to its activities and what they can do to respond.
Accurately simulating how financial markets would react to a major cyber attack is enormously difficult. Regulators not only have to consider the complex interconnections between firms in the sector, but also how coordination with other public authorities such as central banks, finance ministries, the military and security agencies would practically function in such a scenario. On top of this, it is clear that cyber attacks are not confined to national borders or to the financial sector and can spread rapidly around the world both within and between affected firms. This gives the cyber resilience efforts of financial regulators an urgent international and cross-sectoral dimension that demands a high-level of cross-border and cross‑agency collaboration in countering the cyber threat.
Growing the public-private dimension of cross-border cyber exercises will also be an important way to ensure authorities and firms can act in concert when responding to a cyber disruption. As these exercises increasingly begin to include them, firms with cross-border business models will have an important opportunity to help shape the global regulatory environment they face for cyber risk into one that works more effectively in practice.
The G7’s 2019 cross-border cyber incident exercise
Given the well-established view of cyber risk as a global threat, it is encouraging that the G7 has announced it will conduct a cross-border cyber resilience exercise with its members in early June. The most notable thing about the G7 initiative is that the exercise will be unprecedented in terms of its scale. It will include 24 authorities representing the financial regulators, central banks and finance ministries from all G7 countries, as well as the European Central Bank (ECB) and European Commission. Four of the G7 countries participating will also include key financial sector firms and financial market infrastructures (FMIs) in the simulation.
The Banque de France (BdF), which is coordinating the exercise as part of France’s 2019 Presidency of the G7, has announced that the simulation will be run in real-time among all participants over a 14-hour period. While many features of the exercise remain confidential, the BdF has indicated that the test will be based on a realistic but challenging scenario that will simulate the infection of a service or process that is widely used by the global financial sector.
In conducting this exercise, the authorities involved are aiming to be able to assess their effectiveness in responding to a major cyber attack in four areas:
- How authorities communicate with each other in response to an attack (both internationally and domestically).
- How quickly they can gather data on the attack and accurately assess the situation.
- Whether or not they have the right tools to be able to coordinate their response to the attack.
- How authorities communicate with the private sector and the public about an attack in a coordinated way.
This will be an opportunity for G7 authorities to test and refine many of the cyber incident response procedures they have already developed, and particularly to see where different countries’ response practices might help or hinder the cross-border effort. The G7 Cyber Expert Group (co-chaired by the Bank of England (BoE) and the US Federal Reserve) has also developed an inter-authority communications protocol that will be evaluated as part of the simulation.
How this fits into other regulatory work
We have previously written about the imperative for financial services regulators to coordinate their work on cyber resilience and cyber attack preparedness at the international level. This is a challenge that is well understood by most regulators but difficult to achieve for a number of reasons, particularly because of the strong national security concerns associated with cyber defence and information sharing. The G7’s exercise, therefore, represents a big step forward that builds on the work already done in cross-border financial services cyber simulations such as the US-UK Resilient Shield exercise in 2015 and the ECB’s 2018 UNITAS exercise for EU FMIs and their regulators.
Another form of cyber testing also gaining ground in the financial sector this year is ‘red-team’ penetration testing, where ethical hackers attempt to infiltrate a firm’s live systems in order to test its defence and detection capabilities. The UK was an early leader here, with the development of the BoE’s CBEST testing programme for the UK’s largest financial firms. The ECB’s 2018 framework for Threat Intelligence-based Ethical Red-Teaming (TIBER-EU) has also given financial regulators across the EU a template for their own penetration testing programmes based on common standards and mutual recognition between jurisdictions. You can read more of our views on TIBER-EU and red-team testing in our recent blog on the subject.
At the domestic level, an interesting addition to the financial sector cyber testing landscape this year will be the UK Financial Policy Committee’s (FPC) pilot ‘cyber risk stress test’ simulating how large UK banks, FMIs and other firms would handle a hypothetical cyber attack that disrupted their ability to use payments systems. This test will measure whether firms are able to respond to the disruption, restore critical functions and settle payments within the ‘impact tolerance’ limit that the FPC will set (which is meant to be set at or near the point the FPC believes the disruption would have a material economic impact and potentially endanger financial stability). These tests will provide UK regulators with information to identify the most important interdependencies in the financial sector’s IT environment and also to evaluate whether certain response procedures or expectations may have unintended consequences that need to be addressed. The BoE has recently suggested that if these tests show that firms are ill equipped to deal with a cyber stress event individually, the firms may decide to explore public or private collective solutions to enhance sector resilience similar to the ‘Sheltered Harbor’ data restoration initiative in the United States.
Key considerations for broadening the scope of future cyber tests
Despite all the regulatory progress that we have seen on cyber testing in the last few years, this activity is barely out of the starting blocks in most jurisdictions. Regulators have been clear that their direction of travel is to run these tests more consistently and broaden the scope of entities that participate in them.
The G7 cyber incident exercise that will take place in June will primarily focus on testing the response of authorities themselves, even though private sector entities from some countries will be involved in the simulation. Building out the public-private dimension of future G7 simulations, by including a larger group of financial sector firms from all G7 countries, could provide authorities with deeper insights on how financial markets would handle widespread operational disruptions arising from a cyber attack. It would also be a simulation that would more accurately match the reality that authorities would face if a disruption similar to their hypothetical scenario ever actually happened.
Greater private sector involvement in cyber scenario-testing initiatives may put pressure on firms that are already grappling with the mounting costs of cyber security and IT resilience, and struggling to find enough qualified professionals in this area. While these concerns are very valid, becoming involved in cross-border cyber testing (through the G7, EU, etc.) could carry some near-term benefits for firms. Besides having the opportunity to demonstrate their strengths in cyber resilience to a large group of financial authorities, firms will also have the chance to show them what approaches and processes may not work in practice due to regulatory inconsistencies across jurisdictions. The Institute of International Finance noted earlier this year that increasing regulatory requirements on cyber security in the financial sector could have the effect of actually weakening firms’ cyber resilience ‘where regulatory approaches are conflicting or resource-draining.’ Where these conflicts arise (in the form of, say, legal impediments to cross-border information sharing or duplicative national practices for cyber testing or recovery) firms will have a golden opportunity to make the case for incremental changes to be made that could support greater alignment between jurisdictions’ rulebooks and enable firms themselves to become more cyber resilient.
Another question that authorities may face is to what extent their testing should take into account non-financial firms that provide critical services to the financial sector. Cyber attackers can target any kind of organisation, and can disrupt the operations of communications or energy providers that financial markets continuously rely on to carry out their most basic functions. One type of third party which has recently received a lot of attention from regulators is Cloud Service Providers (CSPs) to which many financial firms outsource data storage and other functions. In April, the European Supervisory Authorities expressed concern that concentration in the market for CSPs might create a systemic vulnerability and that, because of this, EU policymakers should consider how to bring CSPs into the financial regulatory fold (our blog with more on this here). For cross-border cyber incident testing, whether by the G7 or the EU, including non-financial third parties in simulations would be a significant evolution from current practice, but it may be a necessary next step for authorities to consider.
We are still, however, in the early stages in the development of a regulatory framework for testing the resilience of the financial sector to cyber attacks, and certainly so for doing it on a cross-border basis. This is why it is so encouraging to see the G7 push the envelope with their simulation this year, and why the lessons learned from this test will likely prove useful for strengthening the resilience of the sector as a whole.