The BoE and PRA have written to FMIs and PRA-regulated firms setting out the thematic findings from the 2022 Cyber Stress Test. The test looked at a hypothetical data integrity scenario in retail payments in which a threat actor, assisted by a malicious insider, sought to redirect payments by amending payee data concurrently at two different firms. The letter advises on:
- the importance of industry coordination, so that firms take into account the potential consequences of their actions on others, and understand the actions others might take to contain contagion risk;
- consistent, effective and timely communications with all relevant stakeholders;
- having in place contingency plans – in this case for the rerouting of payments;
- planning and carrying out appropriate mitigating actions;
- having in place tools to help automate data reconciliation in the event of an incident;
- undertaking testing.
The regulators expect firms to embed all policy expectations, and share with their supervisors how they have assured themselves their plans are appropriate.