Assessing Cyber Risks: Lessons from AbroadHow UK Banking Regulators Are Setting Bar for Security
Bank of England's move to provide specific guidelines for banks to follow when evaluating cyber-risks should be mirrored by banking regulators in the U.S., financial fraud and security experts say (see Bank of England Unveils Cyber Framework).
Avivah Litan, a Gartner analyst who's an expert in financial regulatory compliance issues, contends that the U.K. cyber framework demonstrates how much more forward-thinking U.K. regulators are on cybersecurity than their U.S. counterparts.
"I have not seen the U.S. regulators engage in such a relevant security testing program," Litan says. "The U.K. pilot program is differentiated by its use of real threat intelligence, and is a much stronger test of a given bank's resiliency and ability to respond than a theoretical simulation is. The U.K. regulators also demonstrate thought-leadership by providing access to expert threat-intelligence analysts. It just seems like a much more proactive and helpful approach than I have seen in other countries, including the U.S."
Setting the Cyber Bar
As U.S. banking institutions prepare for the upcoming cybersecurity risk assessments by the Federal Financial Institutions Examination Council, they should look to the guidelines noted by the Bank of England, says Doug Johnson, vice president of risk management policy for the American Bankers Association.
"The expectations are largely the same," Johnson says. "Participate in information sharing arrangements and voluntary exercises. Take a risk-based approach. Expect greater regulatory scrutiny. Be aware of third-party risk."
Independent financial fraud consultant Ben Knieff notes: "Cybercrime does not know national boundaries. The same technical vulnerabilities exist and the same types of attacks work anywhere in the world. It is only that some countries present more lucrative targets than others."
Knieff says the U.S. lags the U.K. on cybersecurity practices. "It is valuable to look at what the U.K. and E.U. are doing," he says. "In many instances, these regions are ahead of the U.S. in consumer privacy and security."
But one security executive with a leading U.K. institution says that because technology and attacks are changing so rapidly, many British banks were taken aback by the Bank of England's June 10 announcement of the framework. The executive, who asked not to be named, says many U.K. bankers felt plans for the framework were issued without enough vetting.
"They would normally signal that they were making a change like this - usually informally, via either one-to-one meetings, progress meetings or in some of the industry security-related sharing forums," the executive says. "That didn't happen in this case."
The Bank of England, the U.K.'s central bank, developed the CBEST framework in cooperation with the Council for Registered Ethical Security Testers, a not-for-profit organization that regulates the penetration-testing industry, and Digital Shadows, a cyber-intelligence company. It's designed to assist British financial institutions with strategies for cyber-vulnerabilities.
Use of the new U.K. framework is voluntary, says Sarah Bailey, spokeswoman for Bank of England.
Through the CBEST framework, banks may gain access to cyber-intelligence from the government and accredited commercial providers. The framework also replicates the techniques used by potential attackers to assist institutions with their internal penetration testing. And it includes a penetration-testing guide to help institutions determine which third-parties they might consider hiring ongoing network testing.
Lessons for U.S. Institutions
For U.S. banking institutions, especially community institutions, some of the guidelines provided by the Bank of England could prove beneficial, says Aite consultant Shirley Inscoe, a fraud expert.
"It can't hurt for FIs [financial institutions] here in our country to look at these [U.K.] requirements and get ideas for what regulators might look for in an examination," she says. "Being proactive and starting to develop an internal strategy to demonstrate compliance will be helpful as FIs await more information from their own regulators."
While U.S. community banks and credit unions do not appear to have been heavily targeted by cyber-attackers in recent years, U.S. banking regulators have warned they expect that to change, Knieff says.
"As large institutions have invested and hardened their systems and controls, smaller institutions will become more attractive 'soft targets' for criminals," he says.
Though regulators have not issued any formal guidance related to how U.S. banking institutions should address and prepare for emerging cyber-risks, Knieff says domestic banks and credit unions have a number of resources at their fingertips.
"I believe the U.S. NIST [National Institute of Standards and Technology] standards, the new U.K. standards, and a number of pieces of E.U. [European Union] guidance have many similarities," he explains (see BITS: How to Prepare for Cyberthreats).
"The essence is regular evaluation, control and testing," Knieff adds. "The technology environment is changing so rapidly, governments cannot attempt to prescribe the controls, but must allow institutions to perform under a reasonable standard of security and control."