Thematic findings from the 2022 cyber stress test

On March 29, 2023, the Prudential Regulation Authority, PRA, published an open letter primarily addressed at supervised firms and market infrastructures to present the „findings“ from the Bank of England’s 2022 cyber stress test (CST22). The stress test was voluntary, was performed as a desktop exercise and sought to explore
– the ability of firms to quickly identify the nature of any operational disruptions and
– any potential effects on financial stability resulting from „firms not meeting the impact tolerance in the case where data integrity had been compromised“.
The basic scenario – which the PRA allowed to be adjusted to participants‘ individual business models and needs – included the simulation of a situation where a cyber criminal – with the help of an insider – redirected retail payments by modifying „payee data concurrently at two distinct firms“. Although the fraud was subsequently detected, it did cause business disruption.
The key „findings“ of the stress test are briefly noted below; for more detailed, comprehensive information, please refer to the enclosed document:
– Following any such incident, firms need to take decisive measures to coordinate their actions with other market participants to prevent further harm.
– Firms must react quickly to such attacks which mandates that they have adequate communication protocols in place to communicate with other firms, supervisory bodies, outsourcing parties, and others. Therefore, they shall consider the development of pre-scripted messages that may be used in such case.
– Firms need to consider alternative payment channels that can be used in case of an incident. Any pre-evaluation of such alternatives are strongly recommended prior to the occurrence of an incident.
– Firms need to consider mitigants that may be necessary as a result of such incident to accommodate the need of clients, e.g. the provision of „immediate“ cash or the extension of a credit line.
– Firms should establish reconciliation processes with financial market infrastructures that can be used to determine „true“ and „clean“ data following an incident.
———–
To conclude, the PRA states that it will closely monitor firms‘ practices as regards the implementation of cyber-security measures and the adoption of adequate policies to ensure prompt responses following any incidents.