ICT & Cyber resilience
Operational disruption to important business services could impact financial stability, threaten the safety and soundness of individual firms and FMIs, and cause harm to consumers and other market participants in the financial system. In this context, firms and FMIs should assess their cyber risk and build adequate resilience capabilities to prepare for, and respond to, cyber events and incidents that could cause operational disruption. To maintain the cyber resilience of the financial sector and to support our supervisory oversight, we have developed cyber assessment tools. They include CBEST, STAR-FS and CQUEST.
CBEST
CBEST provides a framework for regulators to work with firms using a simulated cyberattack. This allows firms to explore how to disrupt an attack on the people, processes and technology of cyber security controls. We base the simulated attacks used on present cyber threats. These include the approach a threat actor may take to attack a firm and how they might exploit a its online information.
The aim of CBEST is to:
- test a firm's defences
- assess its threat intelligence capability
- assess its ability to detect and respond to a range of external attackers as well as people on the inside
Firms use the assessment to plan how they can strengthen their resilience.
An accredited service provider carries out the simulation. It acts within legal, ethical and moral constraints. It aims to get through a firm's defences using the cyber kill chain. They also assess if the confidentiality, integrity or availability of systems and processes that deliver a firm's important business services can be compromised.
CBEST Thematic review
The annual CBEST thematic is intended to inform the sector on the findings and lessons learned from our CBEST programme, which assesses the cyber resilience of key financial institutions through security testing performed in ‘live’ corporate environments.
STAR-FS
STAR-FS (Simulated Targeted Attack and Response assessments for Financial Services) is part of the PRA and FCA supervisory toolkit, to assess the cyber resilience of firms' important business services. This assessment enables regulators and firms to better understand vulnerabilities and take remedial actions, thereby improving their resilience and, by extension, the wider financial system.
It promotes a threat-led penetration testing approach that mimics the actions of cyber threat actors' intent on compromising an organisation's important business services as well as the technology assets and people supporting them.
An implementation guide and supporting templates are available. If your firm is interested in conducting a STAR-FS assessment please contact your supervisor. STAR-FS aims to provide:
- an outcome-based assessment of financial institutions' protection, detection and response technical capabilities against cyber-attacks;
- an approach, conducted through a firm-led delivery model, that can identify cyber resilience vulnerabilities within systems, people and processes;
- reduced regulatory and firm effort relative to other supervisory technical assessments such as CBEST;
- levels of independent technical assurance beyond those ordinarily included in firms' own penetration testing programmes; and
- a testing approach accessible by a larger number of financial institutions to experience and learn from.