City firms found failing in the battle against attack from cyber sharks

Bank of England's Waking Shark II exercise reveals that police have to be called in faster
Click to follow
The Independent Online

City firms have been told that they need to act more quickly and report to regulators in more detail if they become subject to cyber-attacks from criminal gangs, terrorists or hostile countries.

The Bank of England, which conducted a massive simulation exercise called Waking Shark II, representing a three-day attack on the City back in November, said this had shown that banks had made considerable progress in the last two years, but more could still be done.

The detailed review of the Waking Shark II exercise was revealed as the Business Secretary, Vince Cable, hosted a summit of regulators for the financial, water, energy, communications and transport sectors with ministers and top officials from the security and intelligence agencies, to discuss working in partnership to address cyber threats to the UK's essential services.

Waking Shark II, held on a single day in a City livery hall, simulated a three-day concerted cyber-attack on the UK's financial system by a hostile state. It was aimed at the wholesale areas of the market and was designed so that the third day included the "triple witching" when stock options and futures all expire at the same time.

The exercise included denial-of-service attacks on firms' websites, attacks on their networks and problems with closing share prices, bond clearing and payment instructions.

Andrew Bailey, a deputy governor of the Bank of England and the head of the Prudential Regulation Authority, said: "It is essential for financial stability that the UK financial system and its infrastructure continues to work towards improving its ability to withstand cyber-attacks."

The Bank of England said that Waking Shark II had worked, but that it would now consider creating a single co-ordinating body across the financial industry to manage how banks, firms and regulators communicate with each other in a cyber-attack crisis.

It said that it would look at strengthening the Cyber Security Information Sharing Partnership, set up in March last year, which connects firms and government agencies.

This partnership is complemented by a "Fusion Cell" supported on the Government side by the Security Service, GCHQ and the National Crime Agency, and by industry analysts from a variety of sectors.

The Bank also warned banks and firms that they needed to be much faster in reporting criminal attacks to the police and, if necessary, other law enforcement agencies.

It said that it would also make it clearer to firms which are regulated by both the PRA and the Financial Conduct Authority how and to whom they should report incidents.

Mr Bailey said: "The role that regulators such as the Bank of England and Ofcom are already taking to embed cyber security in their sectors is vital, as set out in a joint communiqué outlining steps that government and regulators agree to undertake to help manage cyber risk across each sector."

Mr Cable said: "Cyber-attacks are a serious and growing threat to British businesses, but it is particularly important that those industries providing essential services such as power, telecommunications and banking are adequately protected to avoid disruption to our everyday lives."

The Bank said there was demand for "further and more challenging" exercises including extending simulated cyber-attacks to firms' retail businesses.