Britain’s financial system is “under almost constant cyber attack” according to a top Bank of England official, with the regulator planning to introduce new standards for financial firms’ computer security.
Sam Woods, a deputy governor at the Bank, said the the Prudential Regulation Authority (PRA), which he heads, will publish new standards expected of firms.
The new standards could be published before the end of the first half of the year, although the timing has not been finalised.
Writing in the PRA’s business plan for the next year, Woods said that “setting out clearly the level of operational resilience we expect of firms and how we will make sure it is delivered is a top priority for the PRA”, alongside preparations for leaving the EU. The business plan also provided for the reallocation of resources from “lower risk supervisory activity” to the Brexit preparations.
The UK’s biggest banks, such as Royal Bank of Scotland, Lloyds, and Barclays, are already subject to heightened cyber resilience requirements, particularly with regard to financial risks; the Bank of England will run another cyber resilience test this year.
However, the watchdog believes more needs to be done. Woods added that “nowhere in the world is there an overarching prudential standard for operational resilience”.
The new standards for banks, insurers and investment firms will increase the PRA’s scrutiny of cyber risks associated with information technology systems, outsourcing, and data outages.
Woods also added that open banking regulations, new this year, “will pose further challenges to existing technologies”, with firms forced to open up their customer data to third parties as long as customers consent.
In September Woods said that regulators’ “emergency” response systems had been triggered six times in the previous 12 months alone, according to Reuters.
He said that the Bank will have three levels of “tolerance” of cyber risks, depending on whether a breach would threaten consumers, firm solvency, or financial stability.