The Bank of England’s Financial Policy Committee is setting standards for how quickly critical financial companies must be able to restore vital services following a cyber attack. It plans to test them against these in cyber stress tests. In stress tests of financial resilience, the FPC is able to use past macroeconomic data to calibrate a severe but plausible macroeconomic shock. No such history exists for cyber events. So the FPC will rely on the independent judgment of experts, such as the National Cyber Security Centre, to assist calibration of the stress scenarios, drawing on up-to-date intelligence. Firms undertaking this stress testing will need to demonstrate their ability to meet the FPC’s impact tolerance. In instances where that cannot be shown, remedial action plans will be agreed with supervisors.
The impact tolerances being established by the FPC will be based on the time after which disruption to services could cause material economic impact. For example, disruption to one bank’s payments could have a direct impact on the real economy by impacting the ability of customers of that bank to pay for goods and services. But a severe disruption to one bank’s ability to make payments may also have an impact on other firms initially unaffected by the incident which could impair interbank lending and, in turn, activities such as clearing, settlement or mortgage payments. Working with others, especially the National Cyber Security Centre, the Bank will test that firms would be able to meet the FPC’s standards for recovering services.
The services on which the FPC is focused are: providing the main mechanism for paying for goods; services and financial assets (hereafter, ‘payments’); intermediating between savers and borrowers, and channeling savings into investment, via debt and equity instruments; and insuring against and dispersing risk. Cyber risks are one example of operational incidents that could have a significant impact on firms’ ability to provide vital services. The FPC focuses on these risks, as cyber incidents are most likely to be part of a system-wide threat. In the Bank’s latest Systemic Risk Survey, published alongside the Financial Stability Report, 62% of respondents cited it as a key source of risk, up from 51% a year ago.