In November 2019, concerns were raised with the Bank that an audio feed of certain of its Press Conferences was being made available to subscribers of Statisma News, an affiliate of the company - Encoded Media - which the Bank employed to video stream the Press Conferences to YouTube. After preliminary investigation, the issue was raised to Deputy Governor level, and the Chief Operating Officer led the response through the Bank’s Critical Incident Management Framework (CIMF). The CIMF stopped Encoded Media’s access to all Bank systems and put in place alternative methods for the broadcast to YouTube of the upcoming December 2019 FSR Press Conference. The Bank also referred the issue to the FCA. In December 2019, the Court of Directors of the Bank (“Court”) commissioned a review by the Bank’s Internal Auditor (“IA”) and Independent Evaluation Office (“IEO”) into: (i) the incident; and (ii) the Bank’s relevant internal processes (the “Review”). This Report sets out the findings of that Review and the associated recommendations.
Context
The Bank holds Press Conferences to support the release of its key publications, the Monetary Policy Report and the Financial Stability Report. These are held 30 minutes after those publications, and associated policy announcements, are released. Although the Press Conferences in themselves do not reveal the key policy decisions, they are closely monitored by market participants for signals about future policy direction. For example, answers to questions may provide further explanation of the text in the policy documents, leading markets to put more or less weight on the possibility of a future policy move.
The vast majority of those with an interest in these Press Conferences will access them via an external broadcast. The Bank provides two sources of external broadcast. The Bank has a contract with Bloomberg to film the Press Conference and provide audio and video to all of its subscribers and video to other TV companies via the BT Tower. Separately, a streamed version is provided on the Bank’s YouTube channel (also accessed via the Bank’s webpage), with the recording available after transmission.
There is a non-negligible delay in any of the video broadcasts reaching screens and any audio-only stream – especially a low latency feed - would tend to be faster. That is why the presence of an audio stream from the Bank’s Press Conferences, that was not provided by, or known to, the Bank, was a matter of such concern.
Findings and recommendations
From 2016, the Bank used Encoded Media to support its external live video streaming facility, having previously employed this supplier for around eight years to provide separate internal streaming services. This was supported by the Bank’s standard Terms and Conditions, rather than a bespoke contract, in accordance with its supplier management policy at that time. We recognise that there have been significant improvements in the Bank’s approach to supplier management since 2016, but, at the time of our review, the updated framework did not fully assess the risks of contracts such as this, where the value fell below cost thresholds but provided the supplier with access to sensitive information.
The provision of the streaming services was supported by an employee of Encoded Media, who was a contractor in the Bank, with access to the premises and systems, from 2008. In 2017, we believe that the contractor installed equipment in the Bank that supported an audio feed and subsequently asked Bank staff to ensure this was active during Press Conferences.
We have found that ownership of the Press Conference process, and associated technical equipment and support was shared between three areas of the Bank - Technology, Communications and Security Directorates – and there was insufficient clarity over their individual roles and responsibilities.
Our Review has indicated that there were occasions where, with the benefit of hindsight, this misuse by a third party supplier of the Bank’s audio feed could have been identified sooner by the Bank. In late 2018, an external party made a specific allegation to the Bank with regards to Encoded Media’s use of its feed. This was not fully investigated because it was not considered possible in the Bank’s Press Conference environment. This was based on the Bank’s understanding of the facts, but it was incorrect. In addition, the European Central Bank announced in September 2019 that they were introducing their own low latency feed of their key Press Conferences, a move which was reported as having been triggered by concerns about fast access by some companies. And some companies advertised on social media the availability of ‘fast access’ to Bank of England Press Conferences. Up to now, the Bank has not routinely monitored social media or the broader web for evidence of companies that advertise inappropriate access to the Bank’s publications and Press Conferences.
The recommendations from this Review are set out below.
1 Technology, Communications and Security should review the way technology is used to support Press Conferences and media interactions.
1.1 There should be clearer, single ownership of responsibilities at a more senior level in relation to the Press Conferences and media interactions.
1.2 The Bank should perform an updated overall risk assessment of services being provided, supported and managed jointly between Communications and Technology.
1.3 Overall technology hardware and operational activities supporting the Communications lock-in process and Press Conferences require an updated IT security review.
1.4 A detailed inventory of existing third party IT equipment on site should be maintained and reviewed by IT Security. A high-level inventory has already been created, and plans for a more detailed inventory are already underway.
1.5 Any future IT equipment brought into the Bank by third parties should be reviewed by IT security and added to the inventory before it is put into use. This equipment should only be located in areas with appropriate access controls.
1.6 The Bank’s practices should be benchmarked against good practice amongst other peer Central Banks on a periodic basis.
2 The Bank should identify and risk assess outputs across the Bank that could potentially be market sensitive and where there are latency implications.
2.1 Specifically in relation to the Press Conferences, management is already taking action to implement a publically available low latency audio feed.
2.2 More broadly, an ongoing programme needs to be developed to confirm the various outputs across the Bank that could potentially be market sensitive and where latency issues need to be considered. Appropriate controls over the distribution of this information should then be established.
3 The Bank should continue to strengthen and align its various vendor risk assessments, particularly with respect to niche suppliers, and ensure there is appropriate oversight of associated contractors.
A new supplier management framework was established in 2018 and a supplier segmentation process was completed for the first time in 2019. This assessed all Bank suppliers on annual spend and the impact upon the Bank’s mission, with each supplier placed into one of four categories: gold, silver, bronze and other. This categorisation determined the nature of the engagement with, and oversight of, the supplier.
3.1 While there has been good progress in this space in recent years, given the unique risks the Bank faces, additional scrutiny should be applied to suppliers who meet the following criteria:
- Small, niche suppliers who have a longstanding relationship with the Bank;
- Suppliers who have access to sensitive information; and
- Suppliers who have had a change in the services they provide to the Bank, or in their ownership or control structures.
3.2 In addition, contractors’ roles and responsibilities should be clearly defined and they should be subject to an appropriately senior level of management oversight. This could include, for example, management performing an annual walkthrough with a contractor to understand the role they perform and the use of any IT equipment (be it the Bank or the contractor’s) in this role.
4 The Bank should emphasise in its training for Senior Management the need for effective and early identification and management of risks (such as reputational risks and/or information security threats) including where information is shared with the Bank by external parties.
5 The Bank should adopt consistent processes to identify and respond to firms that advertise inappropriate access to Bank information.
5.1 A consistent triage process for proactively identifying firms that advertise inappropriate access to Bank information and/or affiliation with the Bank should be developed amongst key stakeholders in the Bank, including Legal, Communications, Security and Technology.
5.2 Where firms are identified through this process, there should be due consideration of the appropriate action to take to protect the Bank’s name.
5.3 The Bank should consider how to monitor reputational risks arising from social media – this should include performing searches for key terms. The Bank should then consider what action should be taken where deemed necessary.
5.4 The Bank should consult with external experts on possible approaches to identifying, and responding to, these risks.