How UK Banking Regulators Are Setting Bar for Security
The U.K.’s new cybersecurity risk framework, unveiled June 10, could offer valuable risk assessment lessons for U.S. banks and credit unions.
Avivah Litan, a Gartner analyst who’s an expert in financial regulatory compliance issues, contends that the U.K. cyber framework demonstrates how much more forward-thinking U.K. regulators are on cybersecurity than their U.S. counterparts.
“I have not seen the U.S. regulators engage in such a relevant security testing program,” Litan says. “The U.K. pilot program is differentiated by its use of real threat intelligence, and is a much stronger test of a given bank’s resiliency and ability to respond than a theoretical simulation is. The U.K. regulators also demonstrate thought-leadership by providing access to expert threat-intelligence analysts. It just seems like a much more proactive and helpful approach than I have seen in other countries, including the U.S.”
Setting the Cyber Bar
As U.S. banking institutions prepare for the upcoming cybersecurity risk assessments by the Federal Financial Institutions Examination Council, they should look to the guidelines noted by the Bank of England, says Doug Johnson, vice president of risk management policy for the American Bankers Association.
“The expectations are largely the same,” Johnson says. “Participate in information sharing arrangements and voluntary exercises. Take a risk-based approach. Expect greater regulatory scrutiny. Be aware of third-party risk.”
Independent financial fraud consultant Ben Knieff notes: “Cybercrime does not know national boundaries. The same technical vulnerabilities exist and the same types of attacks work anywhere in the world. It is only that some countries present more lucrative targets than others.”
Knieff says the U.S. lags the U.K. on cybersecurity practices. “It is valuable to look at what the U.K. and E.U. are doing,” he says. “In many instances, these regions are ahead of the U.S. in consumer privacy and security.”
But one security executive with a leading U.K. institution says that because technology and attacks are changing so rapidly, many British banks were taken aback by the Bank of England’s June 10 announcement of the framework. The executive, who asked not to be named, says many U.K. bankers felt plans for the framework were issued without enough vetting.
“They would normally signal that they were making a change like this – usually informally, via either one-to-one meetings, progress meetings or in some of the industry security-related sharing forums,” the executive says. “That didn’t happen in this case.”
The Bank of England, the U.K.’s central bank, developed the CBEST framework in cooperation with the Council for Registered Ethical Security Testers, a not-for-profit organization that regulates the penetration-testing industry, and Digital Shadows, a cyber-intelligence company. It’s designed to assist British financial institutions with strategies for cyber-vulnerabilities.
Use of the new U.K. framework is voluntary, says Sarah Bailey, spokeswoman for Bank of England.