On 29 March 2023, the Bank of England (BoE) and the Prudential Regulation Authority (PRA) published the thematic findings from the 2022 cyber stress test (CST22). The findings are intended to support individual and collective work to improve the financial sector’s response to and recovery from incidents.

Regular cyber stress tests are intended to test firms’ ability to meet impact tolerance in severe, but plausible scenarios. Firms are invited to participate based on the significance of their contribution to the operations to the operations of the UK financial system’s vital functions.

The objectives of CST22 were to explore:

  • Firms’ ability to quickly identify the nature of the disruption they faced; and
  • The potential financial stability impacts of firms not meeting the impact tolerance in cases where data integrity had been compromised.

Key findings from CST22 include:

  • Industry coordination – Timely and co-ordinated decision-making and action across the industry is critical in limiting the impact of an incident. To support this, it is essential that response actions, including any potential rerouting of payments via alternative payment systems, and public communications are co-ordinated effectively across the industry. The existing sector response framework plays an important role in this co-ordination. The sector should leverage existing fora to develop principles-based playbooks to help industry understand how others are likely to act in this kind of scenario and to define delegated decision-making where relevant cross-industry fora might be unable to decide quickly enough. Firms should also review how decision-making and co-ordinated action across the sector is best executed out of business hours in cases when prompt action is needed to contain an incident.
  • Communication – Consistent, effective and timely communications are important throughout an incident. Firms must communicate with a wide range of stakeholders internally and externally, including, for example, customers, the public, regulators, the media and other participants in the payments system. Given the short amount of time for responding to an incident, it is important for firms to consider how pre-scripted messages, which can be adapted to the specifics of the incident, could help maintain public confidence.
  • Contingencies – Rerouting payments via alternative payment systems, where possible, could help to lessen the impact of an incident. Therefore, it is crucial that firms test payment-rerouting processes to operate safely, quickly and at scale. It is important that firms explore what contingencies are already available to them and consider how different contingencies could work together in an incident. Firms should also identify and prioritise critical payments, which aid firms’ focus on payments that are the most important for managing the impact on financial stability.
  • Mitigants – Suitable mitigating actions, such as providing emergency cash or extending overdrafts in the case of retail payments, could help to maintain public confidence in the financial system and therefore limit the risk of an incident causing financial stability.  It is important for firms to consider what mitigants might be suitable to their businesses, develop and invest in them as necessary, and ensure processes to action those mitigants are both robust and scalable.
  • Reconciliation – Firms should develop and test suitable tools and/or scripts to help automate data reconciliation in advance of an incident. Financial market infrastructures (FMIs) are likely to be key providers of clean data during data integrity incidents, and should plan to meet that need in advance of such an incident. Firms with a direct dependency on FMIs should also plan, prepare and test processes to receive this clean data, and explore alternative reliable data sources.
  • Testing capabilities – It is important that firms undertake appropriate planning, preparation and testing to further strengthen individual firm capabilities and the underpinning assets, including technologies and processes which support the industry’s ability to respond and recover. Firms should also review their testing plans to ensure they cover a broad range of scenarios across confidentiality, data integrity and availability.

Next steps

Although the BoE considers the cyber stress test to be a separate but complementary exercise to operational resilience policy, it expects firms to draw on the key findings from CST22 and incorporate any relevant findings to ensure that their important business services can remain within impact tolerances in ‘severe but plausible’ scenarios by March 2025.

A key outcome sought by the BoE is that firms embed the policy expectations to take action to improve their operational resilience. The BoE and PRA note that the CST22 results have highlighted the importance of firms planning, preparing and testing for severe but plausible scenarios, alongside investment, so that the impact on financial stability and other secondary impacts are minimised. They will consider the learnings from this test to inform future work in this space.