The BoE has published a report setting out its thematic findings from the 2024 Cyber Stress Test, a voluntary exercise which involved providers and users of wholesale services to model the impact of a suspected cyber attack affecting transaction settlement.
The stress test used three variations of the scenario: a suspected cyber attack; a confirmed cyber attack; and a longer cyber attack.
Key findings included:
- Financial stability decisions�– while participants had mature scenario modelling and response capabilities, they lacked a comprehensive understanding of the FPC’s Impact Tolerance and how potential impacts could lead to financial instability.��Firms are encouraged to consider actions to protect financial stability and manage systemic risk from operational disruptions;
- Financial stability mitigation
- Operational mitigation – some participants had not tested all available workarounds for processing payments, highlighting the need for firms to collaborate with FMIs to ensure awareness and adoption of mitigation options;
- Confidence mitigation – participants demonstrated good understanding of the Sector Response Framework (SRF) processes.��However, further work is needed to improve awareness of operational resilience contingency procedures among customer relationship managers and incident responders;
- Financial mitigation -while capital is a fungible mitigant to losses, it does not mitigate operational disruption impacts. Service providers needed a better understanding of customer firms’ funding positions to meet liquidity needs during longer incidents;
- Disconnection and reconnection – firms’ decisions about disconnecting from critical systems affect their ability to mitigate financial stability impacts.��It is important for firms to understand disconnection and reconnection options, align them with risk appetites, and reflect potential financial stability impacts in their playbooks.��The Cross Market Operational Resilience Group (CMORG) is working on defining best practice reconnection processes.
