Cyber resilience
Firms and FMIs should assess their cyber risk and build adequate resilience capabilities to prepare for, and respond to, potentially disruptive cyber incidents. To maintain the financial sector's cyber resilience and to support our supervisory oversight, we have developed cyber assessment tools. They include CBEST, STAR-FS and CQUEST.
CBEST
This provides a framework for regulators to work with firms using a simulated cyberattack. This allows firms to explore how to counteract an attack on the people, processes and technology of cyber security controls. We base the simulated attacks on present threats.
The aim is to test:
- a firm's defences
- its threat intelligence capability
- its ability to detect and respond to external and internal attackers
Firms use the assessment to plan how they can strengthen their resilience.
An accredited service provider carries out the simulation, acting within legal, ethical and moral constraints. It aims to get through a firm's defences using the cyber kill chain. They also assess if the confidentiality, integrity or availability of systems and processes that deliver a firm's important business services can be compromised.
CBEST thematic review
The annual CBEST thematic is intended to inform the sector on the findings and lessons learned from our CBEST programme, which assesses the cyber resilience of key financial institutions through security testing performed in ‘live’ corporate environments.
STAR-FS
STAR-FS (simulated targeted attack and response assessments for financial services) is part of the PRA and FCA supervisory toolkit, to assess the cyber resilience of firms' important business services. This allows regulators and firms to better understand vulnerabilities and take remedial actions, thereby improving their resilience and, by extension, the wider financial system.
It promotes a threat-led penetration testing approach that mimics the actions of actors' intent on compromising an organisation's important business services as well as the technology assets and people supporting them.
An implementation guide and supporting templates are available. If your firm is interested in conducting a STAR-FS please contact your supervisor. It aims to provide:
- an outcome-based assessment of financial institutions' protection, detection and response technical capabilities against cyber-attacks;
- an approach, conducted through a firm-led delivery model, that can identify cyber resilience vulnerabilities within systems, people and processes;
- reduced regulatory and firm effort relative to other supervisory technical assessments such as CBEST;
- levels of independent technical assurance beyond those ordinarily included in firms' own penetration testing programmes; and
- a testing approach accessible by a larger number of financial institutions to experience and learn from.