The Bank of England (BoE) has published its long-awaited report on ‘Operation Waking Shark 2’, a large business continuity planning (BCP) and resiliency exercise that was carried out last November to test the UK wholesale banking sector’s ability to cope with a cyber-attack by a hostile nation. bobsguide’s Neil Ainger examines the implications of the report and its key operational continuity recommendations.
The preeminent recommendation of the BoE report published today in the wake of the ‘Operation Waking Shark 2’ exercise is that a single BCP coordinating body be formed for the financial services (FS) sector in future. This chimes in with a separate UK cyber-security summit hosted today by the UK business secretary, Vince Cable, with the BoE, power, communications’ regulators and intelligence chiefs from GCHQ all in attendance in London, where the key call was also for more coordination and ‘10 steps to improve cyber-security’ were disseminated.
More than 200 representatives from the UK’s major banks, including the big US banks such as Citi and Bank of America Merrill Lynch which have their global operations in London, took part in the ‘Operation Waking Shark 2’ BCP exercise last November, alongside financial regulators such as the Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA), the UK Treasury, BoE, and big FS infrastructure providers from exchanges, clearing and payment platforms. The report on the exercise has been long awaited.
Cyber-resiliency Test Scenario
The four-hour desktop cyber-resiliency stress test, which was set over a fictional three-day period – with the last ‘day’ coinciding with ‘Triple Witching’ when contracts for stock index futures, stock index options and stock options all expire on the same day – was meant to test how firms would cope with a major disruption to their computer systems. How the FS sector generally would activate continuity planning and communication systems to cope with the threat was also assessed.
The test scenario was based on a concerted cyber-attack against the UK financial sector by a hostile nation state with the aim of causing significant disruption/dislocation within the wholesale market, data and supporting infrastructures [in some ways it apes the famous Russian cyber-attack against Estonia in 2007 which crippled the country]. Although the impacts caused by these fictional UK cyber-attacks would have had an international perspective, as well as a UK dimension, the primary purpose of the exercise was to test UK national readiness.
The scenario examined how firms would manage their response to a series of fictional cyber-attacks, both on a technical level - in particular information-sharing among the firms via the UK Cyber-Security Information Sharing Partnership (CISP) tool - and from a business perspective. The following technical and business impacts were included in the test:
• Distributed Denial of Service (DDoS) attacks were simulated, causing FS firms’ global websites and certain other internet-facing systems to be unresponsive or intermittently unavailable.
• Advanced Persistent Threats (APT) and PC wipe attacks that penetrated FS firms’ networks for disruptive and destructive purposes.
• Issues with end-of-day market data pricing files for some equities markets, causing challenges with overnight risk and margin calculations.
• Issues with Central Counterparty (CCP) clearing processes for fixed income markets were tested, with resulting fictional events causing significant liquidity and funding issues.
• Issues associated with the processes used to instruct payments through agent banks and manage balances in accounts at agent banks.
Key Findings and BCP Recommendations
According to the organisers of the ‘Operation Waking Shark 2’, the UK Securities Industry Business Continuity Management Group (SIBCMG) – which roped in the BoE, UK Treasury, Cross-Market Operational Resilience Group (CMORG) and the 200 participating FS firms – the test successfully demonstrated cross-sector communications and coordination protocols were in place.
The organisers cited the Cross-Market Business Continuity Group (CMBCG) information-sharing capabilities and the CISP tool, which was only launched in March 2013 and is intended to provide a closed loop data sharing platform, as working successfully but went on to make a number of key recommendations for the future.
The recommendations are:
• Consideration should be given to the identification of a single coordination body from industry to manage communications across the FS sector during an incident. CMBCG is not considered sufficient in and of itself and a merger with the operational and technology-focused CMORG group may therefore result in the future, although this is pure speculation at the moment. What is definitely happening is the creation of a Sector Exercising Group (SEG) under CMORG, which will run more test scenarios, more regularly in the future. An exercise focused on retail bank operations is understood to be planned next.
• The new UK PRA and FCA regulatory bodies, which replaced the old FSA post-crash, should coordinate better to ensure dual-regulated firms are fully aware of each regulator’s incident reporting requirements and their update frequency requirements. The regulatory authorities will also provide further clarification to the FS sector on the respective roles of the Authorities, Government agencies and the sector itself in responding to major cyber-events. The report recommendations also reinforce that firms must report major incidents to their respective regulators as soon as possible.
• The Cyber-Security Information Sharing Partnership (CISP) reporting and data sharing platform will continue to be enhanced throughout 2014 via close collaboration between firms and government partners.
• FS organisations will formally be reminded of the need to report cyber-attacks, which constitute a criminal offence, to the appropriate authorities - for example, law enforcement - so that action can be taken.
“It is essential for financial stability that the UK financial system, and its infrastructure, continues to work towards improving its ability to withstand cyber-attacks,” said Deputy Bank of England governor, Andrew Bailey, who is also chief executive of the PRA, in the report’s conclusion. He stressed that there would be on-going work to ensure this aim, and the new SEG group is currently collating participants’ suggestions for future test scenarios.
Future industry-wide UK BCP exercises actively under consideration include:
• Shorter, more focused and regular FS sector exercises on specific issues for certain groups – for example, the inability to settle overnight is to be considered by FS firms’ operations departments, and a short CMBCG exercise for senior executives should consider the strategic implications.
• A review of how greater ‘challenge’ can be applied to firms’ technology systems in future is underway.
• SEG will determine how future sector-wide exercises could be delivered in the UK. For example, ‘pre-exercising’ elements of the test scenario within FS firms will allow participants to think about their individual response in advance of congregating, which could aid the usefulness of the results.