FIN.

BoE sets out thematic findings from 2024 Cyber Stress Test

The BoE has published a report setting out its thematic findings from the 2024 Cyber Stress Test, a voluntary exercise which involved providers and users of wholesale services to model the impact of a suspected cyber attack affecting transaction settlement.

The stress test used three variations of the scenario: a suspected cyber attack; a confirmed cyber attack; and a longer cyber attack.

Key findings included:

  • Financial stability decisions�– while participants had mature scenario modelling and response capabilities, they lacked a comprehensive understanding of the FPC’s Impact Tolerance and how potential impacts could lead to financial instability.��Firms are encouraged to consider actions to protect financial stability and manage systemic risk from operational disruptions;
  • Financial stability mitigation
    • Operational mitigation – some participants had not tested all available workarounds for processing payments, highlighting the need for firms to collaborate with FMIs to ensure awareness and adoption of mitigation options;
    • Confidence mitigation – participants demonstrated good understanding of the Sector Response Framework (SRF) processes.��However, further work is needed to improve awareness of operational resilience contingency procedures among customer relationship managers and incident responders;
    • Financial mitigation -while capital is a fungible mitigant to losses, it does not mitigate operational disruption impacts. Service providers needed a better understanding of customer firms’ funding positions to meet liquidity needs during longer incidents;
  • Disconnection and reconnection – firms’ decisions about disconnecting from critical systems affect their ability to mitigate financial stability impacts.��It is important for firms to understand disconnection and reconnection options, align them with risk appetites, and reflect potential financial stability impacts in their playbooks.��The Cross Market Operational Resilience Group (CMORG) is working on defining best practice reconnection processes.

Laura Wiles