FIN.

Regulators publish cyber findings for 2024

The BoE, PRA and FCA have published their latest annual CBEST thematic report. The report assesses the cyber resilience of key financial institutions through security testing performed in ‘live’ corporate environments. This year marks the 10th anniversary of the CBEST programme.

This year’s report found continued gaps in firms/FMIs foundational cyber defences. The regulators highlighted the following areas of focus:

  • Cybersecurity risks to assets and individuals;
  • Cyber risks management and impact-based approaches to the protection of key resources (people, process, technology and data);
  • Detection and response capabilities leveraging the latest threat intelligence; and
  • Cyber incident response to eradicate threats and mitigate impacts.

In terms of prevention, the report highlighted the following issues:

  • Identity management and access control:
    • Having overly permissive access controls;
    • Not maintaining strong credential hygiene practices;
    • Not enforcing multi-factor authentication; and
    • Having weak controls around privileged access management;
  • Infrastructure security, asset management and application maintenance, including having weak configuration management practices
  • Network security:
    • Having ineffective network and service segmentation; and
    • Having ineffective network monitoring;
  • Staff awareness and training:
    • Staff being manipulatable by social engineering that seeks to discover passwords or token codes;
    • Staff being manipulated by phishing; and
    • Having unprotected and exposed credentials.

In terms of detection and response:

  • Insufficient detection of adverse events and monitoring gaps;
  • A lack of communication channels during incident responses; and
  • Insufficient containment of red team testers during post-detection containment efforts.

Laura Wiles