Technology and Cyber Resilience Benchmarking Report December 2013

Transcription

1 Technology and Cyber Resilience Benchmarking Report 2012 December

2 Foreword by Andrew Gracie Executive Director, Special Resolution Unit, Bank of England On behalf of the UK Financial Authorities (The Bank of England, including the Prudential Regulation Authority, The Financial Conduct Authority and HM Treasury) I am pleased to attach our Report setting out the high-level findings from the Technology and Cyber Resilience Benchmarking exercise we initiated in The main output from the exercise was an individual report to each of the 30 participants comparing their responses to our survey with those of their peers and with the participants as a whole. Follow up to those reports is being taken forward bilaterally with the participants through the normal supervisory /oversight processes. As the Report makes clear, the purpose of the exercise was to establish an initial overview of the participants approach to technology and cyber resilience challenges. There was no pre-determined benchmark against which participants responses were assessed so no value judgements were made. Where participants responses differed from their peers and/or the wider group, these were highlighted in the individual reports for the recipients to consider the rationale for those differences. Several participants have indicated that they have found the reports to be a useful tool for reviewing their technology and cyber resilience arrangements. From the Authorities perspective, the overall results of the exercise have provided a positive indication that technology and cyber resilience are taken seriously by the participants and that in general, differences in approach largely align with the differences in the nature and scale of their activities. Where that is not the case, we will seek to undertake additional assessments as part of the substantive programme of further work described in the final section of the Report. This benchmarking exercise was a collaborative venture between the Authorities and the participants. We are grateful to those who committed substantial time and resources to help develop the questionnaire and to pilot and deliver the exercise which reflects a clear recognition of the value of cross-firm work to strengthen the technology and cyber resilience of the sector. 2

3 Technology and Cyber Resilience Benchmarking There is now a greater reliance on IT systems and networks across the finance sector than ever before. While this provides many opportunities, it also increases the risk of disruption to the sector from technology failures and cyber-attacks. In the latter case, the rapid evolution of the cyber threat landscape poses challenges to firms' ability to maintain resilience. The pace of change is such that prevention, detection and response arrangements can quickly become dated and insufficient. Discussions with the financial sector over the past three years have highlighted concerns over the increasing persistence, intensity and sophistication of electronic attacks upon IT systems. Alongside the Authorities 1, the UK financial sector has been exploring and testing its response to cyber-attacks since early 2010, including high-level sector discussions in September In March 2011, thirty three firms from the UK finance sector together with the Authorities took part in a desk-top cyber exercise Waking Shark I. Lessons learned from the exercise were fed into the cyber element of the Market-wide Exercise (MWE) which took place in November In 2005, 2007 and 2009 the UK Financial Authorities undertook projects to benchmark the operational resilience of the UK financial sector (details of which can be found on the Bank of England s website). In 2012 the Authorities responded to increasing technology and cyber threats and feedback from the sector and focused on developing smaller, more targeted surveys, to delve deeper into the theme of technology and cyber resilience. Thirty key firms and financial market infrastructure providers participated in resilience benchmarking 2012 and each received an individual report which provided their results and anonymous comparisons with other participants. There was no predefined benchmark against which firms were assessed; rather the aim was to more widely understand how the sector plans and manages technology and cyber resilience and to allow firms to compare themselves against their peers. 1 Prior to April 2013, the Authorities referred to the Bank of England, the FSA and HM Treasury. The Authorities now comprises of the Bank of England, including the PRA, the FCA and HM Treasury. 3

4 The results of benchmarking have provided valuable input to the on-going work of the Authorities together with firms. The results reported in this Report are as of 2012 and, in response to increased attacks, firms have continued to address and improve their cyber security; such measures taken since the survey are not stated in the results (see Further Work below). The technology and cyber resilience surveys have, however, provided the Authorities and participants with a good high-level understanding of how the sector approaches technology and cyber resilience. Common Practices Participants benchmarking responses highlighted a number of common technology and cyber resilience practices which help firms to achieve a base layer of technology and cyber resilience to build upon. The majority of participants (62%) reported that they have a methodology for learning from near miss events, allowing them to better detect and respond to small failures and low level disruption which provide feedback on the overall functioning of the firm in relation to its environment. Near miss events may also provide early warning of larger or cascade failures which the firm can avoid or better manage by learning from the early warnings. The 2011 MWE underlined the importance of firms having dedicated, well-trained professionals who are appropriately empowered in the firm to prepare for and respond to cyber-attacks. In total, 86% of participants reported that their technology and cyber resilience specialists are involved at all stages and activities of responding to technology and cyber related incidents, from being a part of the response team and providing Subject Matter Expert (SME) input to being empowered to make key decisions. All participants reported that they have an Incident Management Plan (IMP) or similar document. Within those plans the content is largely consistent between different firms and peer groups and includes; key objectives / operational resilience requirements, incident response processes, criticality and business impact criteria and a testing and exercise approach, showing a level of maturity across all participants. In addition, participants reported that their IMPs provide significant practical guidance for responders to use during an incident. 4

5 Participants take a proactive approach to monitoring their operating environment and detecting and responding to threats before they have damaging effects. In total 77% of all participants reported that they have an active Intrusion Detection System (IDS) which can enable them to monitor malicious activity and identify new threats and potential vulnerabilities. A number of participants also either reported that they have an active Intrusion Prevention System (IPS) or are awaiting its activation. Further to this, all participants reported performing a wide range of network monitoring for event detection presenting a positive picture of the layers of defences, including monitoring, which were reported by all participants. Specific Findings Comparison of firms responses identified a number of positive practices as well as some areas where firms could improve or provide a higher level of assurance. Governance Coordination and strategic alignment between different areas responsible for IT and business continuity teams is important to ensure a common goal for effective planning and response. The 2012 benchmarking results showed that the majority of participants manage technology and cyber resilience as part of IT production (73%), IT risk (63%), or that it was managed in part by business continuity and in part by IT risk (56%) suggesting there is further opportunity for collaboration between the two areas of work. It is essential that business continuity and technology and cyber practices are reviewed by top management and that one does not take precedence over the other. In total, 97% of all participants reported that they discuss technology and cyber resilience during top management meetings. This presents a positive view of top managements prioritisation of technology and cyber issues. However, only around half of participants reported that they discuss these issues monthly or quarterly. Given the significant increase in cyber-attacks on financial firms since this survey was completed, we would expect that proportion to have increased in the ensuing period. 5

6 The survey did not assess top managements discussion of technology and cyber issues in sufficient detail to reach a view on the quality of those discussions. Nor was it able to establish clearly whether boards themselves are taking appropriate responsibility for cyber risks or whether these are labelled as purely IT problems and are thus delegated to IT committees and subgroups. However it is important for firms themselves to consider these key questions. Assessing controls Once IT and cyber security controls are implemented it is essential that they are tracked, reviewed and evaluated to ensure that they are effective and fit for purpose. The majority of participants reported that they assess their controls on a monthly basis (53%) against current and emerging threats and identify key risks requiring remediation after major incidents (70%). This reflects the changing nature of the cyber threat and the rapid pace of change. What firms do with information about the effectiveness of controls and whether they are able to escalate issues to senior management is also important. Whilst the majority of firms indicated that they report the implementation of controls to mitigate current and emerging threats to top management, nearly a quarter of participants indicated that they do not, raising questions over whether top management have sufficient visibility of technology and cyber risks and the corresponding mitigation and controls to enable them to make effective managerial and strategic decisions. Situational awareness Triggers for reviewing technology and cyber resilience policies varied across participants. Retail and investment firms responses suggested that they focus more on external drivers and are more likely to review policies based on emerging threats and major incidents which they have experienced. In contrast, financial market infrastructure firms responses suggested that they review technology and cyber resilience policies in response to changes in related policies and organisation strategy. A combination of approaches enables firms to develop policies and mitigations which are responsive to changes in the threat profile and the firms risk environment. 6

7 When asked, 78% of participants reported that they formally revise their assessment of current and emerging technology and cyber resilience threats and protection against those threats after a major incident. Although the surveys did not examine how threat assessments are used, if used effectively it may increase firms awareness of their threat environment enabling them to adapt to changing conditions as they emerge. As part of reviewing their threat assessment, all participants reported that they used a full range of sources of threat intelligence, from vendors and third parties to audit findings and peer groups. Participants responses suggest that they are largely consistent in sharing information about their current threat landscape with key internal stakeholders and decision makers, although it is not clear from benchmarking how effective this is in practice. Incident management Participants approach to managing technology and cyber incidents was largely consistent and demonstrates maturity across the sector. In total, 70% of firms take a comprehensive and consistent approach to their incident detection and analysis procedures and include all of the elements that were provided as options in the benchmarking survey. All participants reported that they use a wide range of monitoring techniques and a variety of information to detect technology and cyber events; this establishes a baseline of positive techniques for event detection. The majority of participants also reported that they formally record a full range of information when an event is reported. Vendor technology and cyber resilience One of the challenges of managing vendors technology and cyber resilience is how to assess and understand the level of resilience across multiple vendors in a way which will aid decision making. The majority of firms reported established processes for reviewing vendors technology and cyber resilience with many using questionnaires to gather information. Despite this, the documentation and evidence which vendors are required to provide is minimal, consisting mainly of a business continuity policy and standards accreditation certificates; evidence of cyber threat preventative measures are noticeably absent. 7

8 Although this information may be collected through a vendor management department, unit or group, firms responses indicate that business continuity management (70%), information security (70%), and IT security (67%) are the main groups responsible for conducting reviews of vendor technology and cyber resilience which demonstrates that information is being scrutinised by specialists. Top 3 risks In addition to answering the benchmarking questions, participants were also asked to provide evidence to elaborate on key themes. As part of this, firms were asked to identify, from their corporate risk registers, their top 3 technology and cyber risks. The top 3 technology risks reported by firms were network and critical system outages, development or emergence of new technology and poor change management in relation to new technologies, and access management and control of administration privileges. The top 3 cyber related risks were reported as hactivism, malware and social engineering, and denial of service or distributed denial of service attacks. Since the 2012 resilience benchmarking exercise, the Authorities have been working in conjunction with the UK financial sector to address concerns and improve firms technology and cyber resilience. Further Work Since the initiation of the resilience benchmarking exercise in 2012, the Authorities have continued to work with firms to evaluate and improve technology and cyber resilience. In August 2012, the FSA wrote to nine major retail firms to establish whether they had taken appropriate action to assess and mitigate the risk of an outage and to evaluate whether technology risk is appropriately articulated and discussed at Board level. Follow up to this work was taken forward bilaterally through the normal supervisory processes. In June 2013 the Financial Policy Committee (FPC) made the following recommendation to HM Treasury: HM Treasury, working with the relevant government agencies, the PRA, the Bank s financial market infrastructure supervisors and the FCA should work with the core 8

9 UK financial system and its infrastructure to put in place a programme of work to improve and test resilience to cyber-attack. Since the recommendation was made, HM Treasury and the regulators have further enhanced their programme of work to test and improve the financial system s resilience to cyber-attacks. That enhanced programme was approved in September by the FPC which encouraged HM Treasury and the regulators to ensure that the institutions at the core of the financial system, including banks and infrastructure providers, have a high level of protection against cyber-attacks. The programme of work to assess, test and improve the resilience of the financial sector to cyber-attack is based around four main themes: 1. Understanding the current nature of the cyber threat 2. Strengthening assessment work 3. Developing plans for testing the resilience of the sector to cyber-attack 4. Improving information-sharing The work programme is designed to provide a broad-based response to the FPC s cyber recommendation and will inevitably take time to implement in full. In order to strengthen the assessment, the Authorities have been working with government agencies and have developed a comprehensive joint questionnaire which has been issued to a number of firms and FMIs to assess the adequacy of their cyber resilience and security arrangements. Additionally as part of this programme, on Tuesday 12 November an exercise took place to test the financial sector s response to a sustained and intensive cyber-attack. This exercise was called Waking Shark II and involved participants from investment banks, FMIs, the financial authorities and the relevant government agencies. The exercise was organised by the Securities Industry Business Continuity Management Group (SIBCMG) which drew on extensive cyber expertise to design a scenario in which a cyber-attack caused disruption to wholesale markets and the financial infrastructure supporting those markets. The exercise tested the communication between firms, between firms and the authorities, and aimed to improve understanding of the impact of a cyber-attack on the participants and wider financial sector. A thorough review of the lessons learned is underway to identify potential 9

10 improvements to the resilience of the sector. A report will be published early in the New Year to share the outcomes and lessons with the participants and wider finance sector. Thank you We would like to thank everyone across the sector who was involved in resilience benchmarking 2012 and in particular the Benchmarking Support Group who developed the questions and helped to pilot and deliver the programme. If you have any comments on this Report please send them to BusinessResilience@bankofengland.co.uk. 10