On 25 May 2021, the Bank of England (BoE) published a speech by Lyndon Nelson (Deputy CEO and Executive Director, Regulatory Operations and Supervisory Risk Specialists) entitled Cyber Risk: 2015 to 2027 and the Penrose steps.

In his speech Lyndon Nelson (LN) states that “addressing cyber risk is to put oneself inside an Escher drawing and in particular the Penrose steps where we are constantly walking up the stairs and not reaching the top. This is the nature of the risk. It has a conscious opponent determined like a liquid to pour through cracks and find the lowest level of your controls and exploit them.”

Key points in the speech include:

  • For many if cyber is not the number one risk in their risk register it is the fastest rising. The advance of the cyber threat is also the main gateway that people go through for the consideration of the broader operational risk agenda.
  • The BoE has looked at operational resilience in three parts: assessment (testing), capabilities and coordination.
  • The first part of the BoE’s strategy has been testing and assessment of firms’ resilience to cyber risk. CBEST (the BoE’s threat-led penetration testing framework) can constantly evolve and recently the BoE has worked with the European Central Bank and other European authorities to conduct CBEST on a cross-jurisdictional basis.
  • As part of the Financial Policy Committee (FPC) cyber agenda the BoE is continuing to develop a new type of regular assessment, called a cyber-stress test to assess firms’ operational resilience and the impact this has on the FPC’s core strategic goals. Whilst CBEST focusses more on detection, the stress test looks at the response and in particular the ability to restore functioning after an incident. The next cyber stress test will be in 2022 and will involve a scenario where data integrity has been compromised within the end-to-end retail payments chain.
  • Exercises are a key part of the BoE’s strategy. It has done various exercises over the past few years, including a pandemic, an extended outage at the BoE’s High Value Payment System – RTGS, and a significant cyber-attack which incorporated a data-integrity scenario. The BoE has also participated in exercises at the international level.
  • The BoE’s testing and exercising have steadily demonstrated improvements in cyber resilience, but there are still too many instances of failures in what one might call basic cyber hygiene. Examples of cyber hygiene issues include: (i) shortcomings in vulnerability management and information storage, (ii) poor configuration of IT infrastructure and (iii) poor user account and password management.

In terms of what lies ahead on the Escher Penrose Steps LN states:

  • The full roll-out of the BoE’s operational resilience policy, which will transform the approach to risks such as cyber.
  • Even greater momentum for collective action from the financial sector as it tackles important issues such as safeguarding firms against data corruption and the response to a large bank becoming operationally paralysed.
  • Greater maturity in the international approach based on the lead taken by the G7 Cyber Experts Group and the Basel Committee on Banking Supervision.
  • A suitable regime for critical third parties, which reflects their growing importance in the delivery of critical financial services to economies.