3 November 2019

Banking comns’ ‘significant role’ revealed in cyber attack ‘war game’

by Stephen Delahunty

The ability of financial firms to communicate with each other and their customers has been tested in a Bank of England (BoE) day-long war-gaming exercise, designed to test the resilience of the financial system in the event of a major cyber attack.

About 40 firms took part in the voluntary exercise, alongside the BoE, the Treasury, City regulator the Financial Conduct Authority, and UK Finance, the industry trade body.

It is the latest in a series of simulated attacks hosted by the BoE every couple of years in an attempt to identify any weaknesses in the response of banks and other financial institutions to a major cyber attack. The ability of firms and organisations to communicate with each other is also tested.

On Monday, the treasury committee warned that regulators must act to reduce the unacceptable number of IT failures in financial services sector.

UK Finance chief executive Stephen Jones said: "Operational resilience is crucial in a modern financial system and the industry continues to invest billions to ensure systems, human and digital, are robust and secure. When incidents do occur, firms work around the clock to minimise disruption and get services back up and running as quickly as possible."


The trade body helped convene comms representatives across the sector, managed interactions between firms and regulatory representatives to ensure cross-industry understanding of events happening in real-time, and co-ordinated external messaging on behalf of the sector in the media.

Nicola Hussey, director of comms at UK Finance, said: "Alignment of sector communications is crucial during a major incident and SIMEX 2018 has played a significant role in helping us further define our industry-wide messaging and timings for major incidents."

James Puxty is the head of incident communications at Nationwide, one of the organisations that took part in the exercise.

He explained how the operation helps illustrate just how integrated the UK financial sector is.

"When you have so many stakeholders, it’s important to speak with your peers across the sector. Communicating that these exercises are happening is important too, as it provides transparency and reassurance for customers."

He added: "The main takeaway for me was the importance of getting information clearly and quickly communicated."

Puxty described how the biennial exercise had matured over the years and the simulated crisis is "as realistic as possible".

"When you have these insights it's in everyone's interest, and [to] our customers' benefit, to promote best practice in communications across the sector."
'When, not if'

In January last year the head of the National Cyber Security Centre, Ciaran Martin, warned that it is a matter of 'when, not if' the UK suffered a major cyber attack, and that the UK had been lucky to so far avoid a 'category one' attack that would cripple infrastructure.

Following that, in April, seven of the UK's biggest banks, including Santander, Royal Bank of Scotland and Tesco Bank, were forced to reduce operations or shut down entire systems following a cyber-attack.

In February this year, Metro Bank became the first major bank to be named as a victim of a new type of cyber attack targeting the codes sent via text messages to customers to verify transactions.

Jo Preston, head of crisis communications at Teamspirit, explained that cyber attacks in the financial sector rose five-fold in 2018.

"Finally. A report that recognises the role of communications in cyber-attack planning. Every company should create a risk register and plan for those risks – from media training to crisis-response preparation, right through to full scenario planning," she said.

"Identifying and planning for potential crises will mean significantly quicker response times, and mitigate both stress and, most importantly, long-term reputational damage. Cyber-security attacks are only going to increase, so being prepared is not 'nice to have', it is now vital," added Preston.

Headland director Neil Hedges said: "Most leading banks and financial institutions seem to rely on a very small number of global technology providers. This creates huge bottlenecks in the system – so vulnerabilities and problems among those providers can affect millions of customers across dozens of banks. We have to find ways of managing that risk better."

He warned that any wargaming that doesn't involve the UK's leading mobile carriers and technology providers may fall short of what is required.

Mike Robb, a managing director and head of financial services at MHP, noted that a cyber attack is at the top end of any corporate’s risk register.

"The co-ordination between individual firms in a time of severe crisis, which this simulation undoubtedly was," he said. "Communications teams within financial-services organisations can be some of the most connected to competitors by the very nature of being outward-looking and their engagement with industry bodies, a position of significant value that should be deployed in times of stress."

Robb warned that incidents of this nature increase the chance of mixed messages and differing advice.

"Crises are intensified by fear and panic, and the Bank [of England] outlined the importance of effective communications in maintaining confidence. It will be interesting to see how the Bank drives a move towards greater consistency in both response practices and language," he added.

No comments: