Cyber security, regulation and banks’ responsibilities to customers

Author: Simon Cadbury

The need to provide digital banking consumers with better protection against cyber-crime

Peter Hahn, senior fellow in banking at London’s Cass Business School and a former senior adviser to the Bank of England (BoE), recently remarked that everyone should have two bank accounts in case one is crippled by a security breach.

He added that while Britain’s banks “were certainly safer” now than they were before the financial crisis, the risk of cyber-attacks on their systems posed an increasingly dangerous threat.

Hahn’s comments came during an interview with the BBC’s Today Programme ahead of the Financial Stability report published by the Bank of England’s Financial Policy Committee, which identifies “cyber risk” among the five most prominent dangers facing the sector.

The rise of cyber-crime

The risk of cyber-attacks has indeed increased enormously over the years, so much so that when the ONS recently began to include incidences in national crime statistics the incidence of crime soared 107%. To guard against this, and to test banks’ abilities to withstand such attacks, the UK Financial Authorities, in conjunction with the Council for Registered Ethical Security Testers (CREST), have devised a testing framework known as CBEST.

CBEST was introduced to the industry in May this year during an event hosted by the Bank of England, and is designed to provide “an (sic) holistic assessment of a financial services or infrastructure provider’s cyber capabilities by testing people, processes and technology in a single test.”

CBEST, the Bank of England and how to protect consumer’s money

While this is a strong step in the right direction, CBEST’s robust certification requirements are overshadowed by the fact that performing an assessment is entirely voluntary, despite the Bank of England’s concession that the test is critical to maintaining the integrity of the financial system. As a result, CBEST tests do not provide a certification standard for the financial services institution itself. This is in contrast to the Payment Card Industry Data Security Standard (PCI DSS), which is both compulsory and a means of certification of individual institutions.

The BoE is making the right noises by supporting the CBEST cyber-security testing – but the process should not be voluntary. Just as banks are required to complete financial “stress tests”, they should, from a regulatory perspective, be required to complete cyber-security stress tests. In addition, which banks have successfully completed CBEST and which ones have not should be made known to the public in order for customers to make informed decisions on whom they entrust their money to.

How to make bank accounts more secure

Hahn’s comment that multiple bank accounts are safer than one may be true if the risk is spread across accounts with equal levels of protection against cyber-attacks. However, since it is not clear which institutions have completed a CBEST assessment and it is not mandatory for them to do so, it is a potentially false claim – it would be far better for customers to have the confidence to deposit their money in one secure bank account than two (or more) potentially unsecure ones.

There is a clear need to the public to have a way to rate the security of the bank they are doing business with. In the cyber-world this can be difficult to gauge, so the regulator should provide a cyber-security rating based upon CBEST and make the test a standard requirement of the financial services industry. By cooperating around such a standard, the industry will be able to deliver a stronger collective response to the cybercrime threat than any single company could do alone.

While this is not yet reality, upcoming changes in the regulatory landscape may change the situation for the better.

Making data security a priority

Perhaps fortunately for customers, new EU Data Protection Regulations are expected to be ratified by the end of the year and following this, there will then be a two year transition period for all systems in the EU to become compliant before enforcement starts. The new compliance requirements will include the stipulation that data security becomes an overriding priority, with safeguards having to be built-in to products and services from the earliest stages of development. The pan-European regulations will enforce, among other things, that if the regulations are broken fines of up to 5% of global revenue or EUR 100 million can be levied.

It is hoped that the introduction of these regulations will be the impetus required for the regulator to up their game in terms of making real changes to the regulatory environment. Banks must provide the necessary safeguards against cyber-crime, ensure these safeguards are mandatorily required to be subjected to and meet the standards of CBEST assessments, and adopt a rating system based upon it. This way, the consumer will be empowered to make not only an informed choice but an accurate one in terms of banks’ abilities to withstand cyber security threats.

17 Dec 2015

Author: Simon Cadbury

The need to provide digital banking consumers with better protection against cyber-crime

Peter Hahn, senior fellow in banking at London’s Cass Business School and a former senior adviser to the Bank of England (BoE), recently remarked that everyone should have two bank accounts in case one is crippled by a security breach.

He added that while Britain’s banks “were certainly safer” now than they were before the financial crisis, the risk of cyber-attacks on their systems posed an increasingly dangerous threat.

Hahn’s comments came during an interview with the BBC’s Today Programme ahead of the Financial Stability report published by the Bank of England’s Financial Policy Committee, which identifies “cyber risk” among the five most prominent dangers facing the sector.

The rise of cyber-crime

The risk of cyber-attacks has indeed increased enormously over the years, so much so that when the ONS recently began to include incidences in national crime statistics the incidence of crime soared 107%. To guard against this, and to test banks’ abilities to withstand such attacks, the UK Financial Authorities, in conjunction with the Council for Registered Ethical Security Testers (CREST), have devised a testing framework known as CBEST.

CBEST was introduced to the industry in May this year during an event hosted by the Bank of England, and is designed to provide “an (sic) holistic assessment of a financial services or infrastructure provider’s cyber capabilities by testing people, processes and technology in a single test.”

CBEST, the Bank of England and how to protect consumer’s money

While this is a strong step in the right direction, CBEST’s robust certification requirements are overshadowed by the fact that performing an assessment is entirely voluntary, despite the Bank of England’s concession that the test is critical to maintaining the integrity of the financial system. As a result, CBEST tests do not provide a certification standard for the financial services institution itself. This is in contrast to the Payment Card Industry Data Security Standard (PCI DSS), which is both compulsory and a means of certification of individual institutions.

The BoE is making the right noises by supporting the CBEST cyber-security testing – but the process should not be voluntary. Just as banks are required to complete financial “stress tests”, they should, from a regulatory perspective, be required to complete cyber-security stress tests. In addition, which banks have successfully completed CBEST and which ones have not should be made known to the public in order for customers to make informed decisions on whom they entrust their money to.

How to make bank accounts more secure

Hahn’s comment that multiple bank accounts are safer than one may be true if the risk is spread across accounts with equal levels of protection against cyber-attacks. However, since it is not clear which institutions have completed a CBEST assessment and it is not mandatory for them to do so, it is a potentially false claim – it would be far better for customers to have the confidence to deposit their money in one secure bank account than two (or more) potentially unsecure ones.

There is a clear need to the public to have a way to rate the security of the bank they are doing business with. In the cyber-world this can be difficult to gauge, so the regulator should provide a cyber-security rating based upon CBEST and make the test a standard requirement of the financial services industry. By cooperating around such a standard, the industry will be able to deliver a stronger collective response to the cybercrime threat than any single company could do alone.

While this is not yet reality, upcoming changes in the regulatory landscape may change the situation for the better.

Making data security a priority

Perhaps fortunately for customers, new EU Data Protection Regulations are expected to be ratified by the end of the year and following this, there will then be a two year transition period for all systems in the EU to become compliant before enforcement starts. The new compliance requirements will include the stipulation that data security becomes an overriding priority, with safeguards having to be built-in to products and services from the earliest stages of development. The pan-European regulations will enforce, among other things, that if the regulations are broken fines of up to 5% of global revenue or EUR 100 million can be levied.

It is hoped that the introduction of these regulations will be the impetus required for the regulator to up their game in terms of making real changes to the regulatory environment. Banks must provide the necessary safeguards against cyber-crime, ensure these safeguards are mandatorily required to be subjected to and meet the standards of CBEST assessments, and adopt a rating system based upon it. This way, the consumer will be empowered to make not only an informed choice but an accurate one in terms of banks’ abilities to withstand cyber security threats.