Introduction
A vital stocking filler for resilience leaders and practitioners was somewhat lost in the festive preamble as The Bank of England published the results of their 2023 CBEST annual thematic on 18th December.
The CBEST programme is The Bank of England’s cyber resilience programme and has been running since 2014. The programme attempts to foster best practice through the co-ordination of common approaches to cyber resilience by identifying cyber resilience risks through live testing of systemic Financial Institutions.
Cyber hygiene and Threat Intelligence
This year’s report begins by reminding firms that cyber resilience remains high priority for the regulators.
“Cyber resilience is fundamental to a firm’s operational resilience. Disruptions from cyber
attacks can impact financial stability, cause intolerable harm to consumers or other market
participants, or disrupt market confidence. It is a key priority of the Bank of England, the
Prudential Regulation Authority, and the Financial Conduct Authority (collectively, ‛the
regulators’) to promote the operational resilience of firms and financial market
infrastructure to ensure they can continue to deliver their important business services
during severe but plausible scenarios.”
The report highlights the importance of “foundational practices” to develop the “cyber hygiene” of firms and the sector. A cornerstone of these foundational practices is threat intelligence and associated testing. The paper points out that “a keen appreciation of the threat landscape can help an FMI better understand the vulnerabilities in its critical business functions and facilitate the adoption of appropriate risk mitigation strategies”.
It goes on to highlight that most firms have a strong foundation to threat intelligence with good findings related to governance and resilience. However, those foundations can be further strengthened and more effectively operationalised through a more integrated approach which considers how:
- the wider business supports threat intelligence objectives and
- the efficacy of team and resource management in threat intelligence operating models.
The findings
The CBEST thematic categorises findings in six areas:
- Identity and Access Management
- Staff awareness and training
- Secure configuration
- Network security
- Incident response and security monitoring
- Data security
Operational Resilience practitioners will note how the categories reflect the CQUEST questionnaire, which should be informing operational resilience thinking and integration with cyber resilience.
The report articulates observed good practice and common gaps.
We’ll focus on the gaps below:
|
Identity and Access Management
|
- Firms were lacking policies and standards to govern IAM and where policies and standards did exist, they weren’t generally strong enough nor enforced appropriately.
- Privileged access and service accounts weren’t sufficiently hardened to reduce attack surface area.
- Lacking multi-factor authentication for critical assets.
|
|
Staff Awareness and Training
|
- Firms couldn’t scan for and understand why company secrets or individual credentials were held on internal repositories.
- No review or measurement process for cyber hygiene, including passwords.
- Sensitive firm and third-party data and technical information was too widely available in public fora, such as websites, job descriptions, and social media.
|
|
Secure Configuration
|
- Security templates and certificates were generally not configured securely, and where they were, there was little testing.
- Linked to a lack of scanning capability, firms were found to be “susceptible” to attacks which “exploit passwords cached or stored in security services”.
- Principle of least privilege generally not achieved.
|
|
Network Security
|
- A lack of segregation across firms and group networks with “insufficiently segregated corporate networks”, a lack of consideration for segregating Important Business Services and vulnerabilities “arising from exposure to group-owned or controlled networks”.
|
|
Incident Response and Security Monitoring
|
- Incidents were not sufficiently logged and retained and ticketing and escalation systems were not secure enough or were too widely accessible.
- Firms were lacking the necessary specialist skills to respond appropriately to complex incidents.
|
|
Data Security
|
- Firms were lacking a consistent playbook for the level of data protection required with “inadequate” protection for data at rest and in transit.
|
Although the findings are derived from the largest and most complex firms, the CBEST lessons should be used by firms of all scope and scale to catalyse required improvement programmes.
The thematic will be useful for “SMF24, CISO, CIO, COO, CRO and Cyber specialists” to,
- Consider the lessons to question their firm’s approach to cyber resilience.
- Maintain awareness of cyber risks at the highest levels of the firm.
- Inform and guide second and third line functions in oversight activities.
FourthLine are supporting firms with Operational Resilience, Cyber Resilience, DORA, Response and Recovery programmes across the financial services sector. To understand how we could support your resilience initiatives in 2024, please get in touch or book a meeting.
