BoE and PRA feed back on cyber stress test results

The BoE and PRA have written to FMIs and PRA-regulated firms setting out the thematic findings from the 2022 Cyber Stress Test. The test looked at a hypothetical data integrity scenario in retail payments in which a threat actor, assisted by a malicious insider, sought to redirect payments by amending payee data concurrently at two different firms. The letter advises on:

  • the importance of industry coordination, so that firms take into account the potential consequences of their actions on others, and understand the actions others might take to contain contagion risk;
  • consistent, effective and timely communications with all relevant stakeholders;
  • having in place contingency plans – in this case for the rerouting of payments;
  • planning and carrying out appropriate mitigating actions;
  • having in place tools to help automate data reconciliation in the event of an incident;
  • undertaking testing.

The regulators expect firms to embed all policy expectations, and share with their supervisors how they have assured themselves their plans are appropriate.

Emma Radmore