BoE has reported on the outcomes of its 2018 sector wide exercise (SIMEX), which tested how the UK finance sector would react to a prolonged and broad cyber attack. The exercise, which took place in real time, involved Treasury, BoE, PRA, FCA and 29 of the most systemically important firms and FMIs. It required participants to react during a “live” exercise day and also complete a post-exercise written report focusing on how they would respond to a lengthy operational outage of a Global Systemically Important Bank.
The findings were largely positive, but significant improvements could be made in:
- risk tolerance: the significant divergence in risk appetite for suspending services may lead to significant knock-on effects to the market and real economy; and
- restoration: there are currently constraints in the way participants could support a paralysed bank, that stem from the different ways in which data is held.
The exercise showed that UK Finance’s incident management communications framework has greatly improved communications. There will be further work on industry guidelines on good incident communication practices and use of terminology, and on good practice for managing potential controlled suspension of services and system integrity risks.