The Bank of England has published the high level findings of the financial sector cyber simulation exercise (SIMEX18) that took place on 9 November 2018. This exercise explored the sector’s resilience to a prolonged and broad cyber-attack targeting the financial sector. The exercise highlighted various areas (detailed below) that need improvement and where work has been initiated on developing further industry guidelines. Firms should aim to keep informed of these developments.
However, in the meantime, firms should review the findings of the exercise and consider how they can be applied to their own operational resilience frameworks, incident response plans and testing. Specifically:
- SIMEX18 shows that the running of these exercises helps to highlight many key areas that industry and the regulators need to further develop their ability to respond. Firms should ensure they have rigorous end to end testing programmes for severe but plausible scenarios that will then help them to continuously improve their ability to respond to incidents. Firms should consider running these exercises with key third-party suppliers both of infrastructure and services.
- Although the SIMEX18 exercise was a cyber incident, firms should consider scenarios for their testing programme such as IT system outages from legacy systems, unforeseen outages during a major system change or migration, and incidents unrelated to IT systems but nevertheless could have a major impact on a firm’s ability to delivery services, such as a flu pandemic.
- SIMEX18 showed the importance of effective communications in maintaining customer and market confidence in the system. Firms’ exercises should not just involve, IT and operational teams but need to include all areas of the firm such as press offices, client service teams, regulatory liaison teams. Firms should also use UK Finance’s incident management communications framework.
The test was carried out by simulating a significant cyber-attack, of increasing intensity, which caused multi-day disruption to markets and firm operations. The objectives of the exercise were as follows:
- To test the effectiveness of the sector response framework in enabling a coordinated response to a cyber-attack.
- To test the effectiveness of the UK Finance communications process for developing a sector communications strategy.
Participants in this exercise included 29 of the most systemically important firms, Financial Market Infrastructures and financial authorities.
It also successfully rehearsed the Cross Market Business Continuity Group, an executive level group chaired by the Bank to enable financial authorities (Bank of England, PRA, FCA and HM Treasury) to interact with the sector during times of major operational disruption.
- Opportunities to improve the way firms coordinate at an operational level: the Finance Sector Cyber Collaboration Centre (FSCCC) will be integrated into a response framework to ensure the technical coordination capability which firms provide is incorporated into the broader response landscape.
- Disparity in risk tolerance for suspending services: regulators will now focus on the production of industry guidelines and good practices for managing potential controlled suspension of services and system integrity risks.
- Restoring data and recovering service: currently the ability of firms to support another operationally paralyzed firms is constrained by the different ways each of them store their data. Work will be completed to scope the technical, and data requirements for providing services via alternative channels. This will be followed by a strategy paper and playbook to support coordination of this contingency during a live incident.
- Communication practices: the exercise demonstrated that the use of UK Finance’s incident management communications framework significantly improved collective pubic communications. Future work will focus on the production of industry guidelines on good incident communications practices and consistent definition and use of terminology to improve consistency and clarity of often complex technical messaging.
For more detail on the UK and other regulators approach to operational resilience, please see KPMG discussion paper ‘Operational Resilience in Financial Services’.
Firms should also be aware that the Bank of England, PRA and FCA are planning to publish a consultation paper on Operational Resilience in mid to late October. This is a follow on from the discussion paper that was jointly published in July 2018.