Bank of England Launches Cyber FrameworkAims to Identify Vulnerabilities in U.K. Banking System
The CBEST framework, announced on June 10, assists financial institutions in testing for cybervulnerabilities. It was developed in cooperation with the Council for Registered Ethical Security Testers, a not-for-profit organization that regulates the penetration testing industry, and Digital Shadows, a cyber-intelligence company.
Use of the new framework, which will be available for all financial institutions, is voluntary, says Sarah Bailey, a spokesperson for the Bank of England, the U.K.'s central bank, which maintains monetary and financial stability.
Financial institutions using the CBEST framework will gain access to intelligence from the government and accredited commercial providers to identify potential cyber-attackers, the Bank of England says. The framework replicates the techniques the potential attackers use in order to test the extent to which they may be successful in penetrating institutions' defenses.
Financial institutions can now sign up to participate in tests of the framework, Bailey says. Workshops will be held after the tests to identify areas for improvement, she adds.
"The idea of CBEST is to bring together the best available threat intelligence from government and elsewhere, tailored to the business model and operations of individual firms, to be delivered in live tests, within a controlled testing environment," says Andrew Gracie, executive director at the Bank of England. "The results should provide a direct readout on a firm's capability to withstand cyber-attacks that on the basis of current intelligence have the most potential, combining probability and impact, to have an adverse impact on financial stability."
Components of CBEST
The CBEST initiative will offer financial institutions:
- Access to cyberthreat intelligence;
- Access to knowledgeable, skilled and competent cyberthreat intelligence analysts;
- Realistic penetration tests that replicate sophisticated, current attacks;
- Standard key performance indicators that can be used to assess the maturity of the institution's ability to detect and respond to cyber-attacks;
- Access to benchmark information that can be used to assess other parts of the financial industry.
"The implementation of CBEST will help the boards of financial firms, infrastructure providers and regulators to improve their understanding of the types of cyber-attacks that could undermine financial stability in the U.K., the extent to which the U.K. financial sector is vulnerable to those attacks and how effective the detection and recovery processes are," the Bank of England says.
The Council for Registered Ethical Security Testers' role in the framework is to ensure penetration testers conducting CBEST exams conform to the frameworks' new standards.
"For the first time, CREST requires commercial intelligence providers to be accredited," says Ian Glover, the council's president. "This ensures financial services and infrastructure providers have access to detailed, considered and consistent cyberthreat intelligence that has been ethically and legally sourced."
Through the CBEST framework, security testers and threat intelligence providers will work together to replicate real attacks from sophisticated adversaries, Glover explains. "Both the companies providing CBEST services and those qualified to conduct the tests are bound by strict and enforceable codes of conduct administered by [the council]."
CREST is only responsible for the accreditation and will not conduct the assessments for financial institutions, says the Bank of England's Bailey.