On 27 September 2019, the Bank of England (BoE) published a webpage containing the outcomes and high level findings of its cyber simulation exercise (SIMEX18) held in November 2018.
The purpose of SIMEX18 was to exercise participants from 29 of the most systemically important firms and financial market infrastructures, who during the exercise responded to a cyber-attack scenario targeting the financial sector. The scenario was designed to test: (i) the effectiveness of the sector response framework in enabling coordinated response to a cyber-attack; and (ii) the effectiveness of the UK Finance (financial sector trade body) communications process for developing a sector communications strategy.
The BoE observed the following key findings:
- improvements could be made at an operational level in respect of coordination of firms. The BoE will undertake a review of the sector response framework to ensure that the sector can communicate and coordinate at an operational level during a crisis. The Finance Sector Cyber Collaboration Centre will also be integrated into the response framework;
- there was significant variance among participants in relation to system integrity issues, participant decision making, and risk appetite for suspending services. The BoE will focus future work on the production of industry guidelines and good practice for managing potential controlled suspension of services and system integrity issues;
- the ability for participants to support other operationally paralysed banks is constrained by the different ways in which data is stored. Further work is anticipated to scope the technical and data requirements for providing services via alternative channels. This will be followed by a strategy paper and playbook to support coordination of this contingency during a live incident; and
- the BoE will focus on producing industry guidelines on good incident communications practices and consistent definition and use of terminology.
The BoE states that the UK financial authorities will now act on the recommendations made following the exercise, and plans to continue work to deliver improvements to the resilience and response capability of the finance sector into 2020.