On 18 October 2023, the Bank of England (BoE) published a speech delivered by Elisabeth Stheeman, external member of the Financial Policy Committee (FPC), at the London School of Economics. In her speech, Ms Stheeman discusses getting prepared for cyber risks and operational resilience.

In her speech, Ms Stheeman discusses how the threat of cyber-attacks has become an increasingly important consideration for maintaining financial stability in the UK. She describes how the BoE’s FPC is working with other authorities and the private sector to improve and test the financial system’s resilience to cyber risks, and how it will be continuing to improve macroprudential oversight of operational resilience as a medium-term priority.

The speech includes the following remarks:

  • Cyber risk is frequently cited as a key source of risk to UK financial stability. The risk of a cyber-attack is the most cited risk in the latest survey for the second half of 2023, with 80% of firms mentioning it – the highest proportion of respondents citing cyber risk ever recorded in the survey.
  • Ransomware remains one of the most acute cyber-related threats faced by UK businesses, but less sophisticated cyber crime also remains a challenge.
  • The BoE has been working alongside HM Treasury and the FCA to improve and test the financial system’s operational resilience to cyber-attacks. The BoE and Prudential Regulation Authority already use a range of tools to assess the cyber resilience of individual firms’ important business services, including the ‘CBEST’ which tests the ability of firms and financial market infrastructures to prevent and detect cyber-attacks.
  • The BoE also works collectively with industry through the cross-market operational resilience group to build collective resilience to cyber and other risks. This includes ‘SIMEX’ and the wider sector exercise programme for collective response and recovery capabilities.
  • There were a number of lessons from the 2022 cyber stress test, including the need to consider contingencies, prepare suitable mitigating actions, co-ordinate with other firms and financial market infrastructures, and communicate throughout any cyber incident. 
  • It is important for firms to explore what contingencies are already available to them and consider how different contingencies could work together in an incident. Where contingencies might fall short, preparing suitable mitigating actions could also limit the risk of an incident causing financial instability if they were to help minimise confusion for consumers and maintain public confidence in the financial system.
  • Another lesson was that timely and co-ordinated decision-making and action across the industry is critical in limiting the impact of an incident, and there should be consistent, effective and timely communications throughout the incident.
  • While cyber risks are prominent, the FPC is also doing an increasing amount of thinking about broader operational issues, such as the increasing use of critical third parties. Ms Stheeman notes that the BoE, PRA and FCA will be publishing a consultation paper with draft rules and guidance for critical third parties in the coming months.
  • Alongside this work on critical third parties and cyber stress testing, the FPC continues to identify and monitor the channels through which operational risks could affect financial stability. This includes those arising through technological developments such as Artificial Intelligence and the use of blockchain.