All the major UK banks are set to take part in a large business continuity cyber-threat exercise next month. Called Operation Waking Shark 2, it is being implemented by a consultancy under the aegis of the Financial Conduct Authority (FCA), Bank of England (BoE) and UK Treasury, with the intention of testing UK FI sector’s ability to survive a sustained online assault from cyber-criminals.
Operation Waking Shark 2 will be the largest cyber-security threat exercise undertaken in the UK in two years, following its predecessor undertaken by the now defunct Financial Services Authority (FSA).
Waking Shark 2 will start in mid-November amid growing international concern about the increasing threat from online criminals, hackers, activists and so forth. The recent hack attack against Abode, combined with the $6bn Liberty Reserve money laundering scam; the rise of Bitcoin and other non-traditional digital currencies; and attacks like the recent one against a Barclays Bank branch IT system, which was taken over by criminals, illustrate the problem. Stock exchanges and major volume carriers such as SWIFT are also increasingly being targeted.
Operation Waking Shark 2 will simulate a major cyber-attack on the UK payments and financial market systems, according to the Daily Telegraph newspaper. The BoE, FCA and UK treasury will all monitor the results to assess the ability of the UK’s core financial services providers to withstand cyber-security threats.
A recent report from the UK Treasury said the financial system in the country had a number of possible vulnerabilities due to its interconnected nature and reliance on centralised market infrastructures, such as the shared UK Faster Payment Service (FPS). Its complex legacy IT systems were also cited in the report.
The BoE’s Financial Policy Committee (FPC) responded to the report by giving UK banks and financial institutions (FIs) six months to outline their strategies to protect themselves more effectively against cyber-attacks. The Committee also warned the BoE to investigate the resilience of its own systems. FPC member, Andrew Haldane, also director of financial stability at the BoE, said over the summer that “cyber-attacks were the top risk for UK banks”, and warned Parliament’s Treasury Select Committee that UK banks must do more to protect themselves.
According to Dorian Wiskow, client managing director for FS at Fujitsu UK & Ireland: “It is vitally important that cyber security tops the priority list for IT departments within the UK’s financial service organisations, so the news that capabilities in the UK will be tested is welcome. Not only are banks operating with legacy systems that in some cases have been in existence for many years, it is also a sector where innovation across new banking channels, such as online and mobile, is creating complex multi-channel IT infrastructures.
“Chief information officers (CIOs) in the banking industry are facing an unenviable challenge to secure these multi-channel environments,” she continued, “while ensuring customer experience does not suffer. This is an incredibly difficult challenge to overcome. What is paramount here is that the industry does not overlook or get complacent about security or place it in the ‘too big to fix’ category. Research we carried out recently revealed that security does not feature in the top three CIO priorities, but I believe it should.”
By Neil Ainger