Bank of England launches new framework to test for cyber vulnerabilities

On 10 June Andrew Gracie, Executive Director for Resolution at the bank of England, announced CBEST, a framework for sharing detailed threat intelligence and delivering cyber security tests and benchmarking for UK financial services providers.

The framework, developed by Bank of England (BoE), Her Majesty’s Treasury and the Financial Conduct Authority, follows the launch of the Cyber Essentials scheme last week.

The press release on the BoE’s website says:

“The new framework called CBEST uses intelligence from Government and accredited commercial providers to identify potential attackers to a particular financial institution. It then replicates the techniques these potential attackers use in order to test the extent to which they may be successful in penetrating the defences of the institution. On completion of the test there will be workshops for the firm to work through the results with the testers and supervisors.”

With full backing from the UK Financial Authorities, CBEST looks to be a very promising framework and will provide the following benefits to the UK Financial sector:

  • Access to advanced and detailed cyber threat intelligence.
  • Access to knowledgeable, skilled and competent cyber threat intelligence analysts who have a detailed understanding of the financial services sector.
  • Realistic penetration tests that replicate sophisticated attacks based on current and targeted cyber threat intelligence.
  • Access to highly qualified penetration testers that understand how to conduct technically difficult testing activities while ensuring that no damage or risk arises.
  • Confidence in the methodologies used by the companies within CBEST for conducting these sophisticated and sensitive tests.
  • Confidence that the results and the information accessed by the testers will be protected.
  • Standard key performance indicators that can be used to assess the maturity of the organisation’s ability to detect and respond to cyber attacks.
  • Access to benchmark information, through the key performance indicators, that can be used to assess other parts of the financial services industry.
  • A framework that is underpinned by comprehensive, enforceable and meaningful codes of conduct administered by a specialist professional body.

IT Governance have long supported the need for regular penetration tests (see: Why pen tests are Crucial), as they provide an organisation with the information they need to ensure that they’re not wide open to an attack.

Personally, I am very pleased to see that the BoE are taking the initiative to ensure that the UK’s financial sector is doing its best to remain secure, and I’m sure the other 62 million people in the UK (who have a bank account) feel the same way.