There are still "too many instances of failures in basic cyber hygiene".
That is the view of Lyndon Nelson, Deputy CEO of the PRA. His latest speech on the looming and evolving threat of cyber risk considers the measures being taken by the Bank of England and PRA to tackle it.
As a companion piece to his recent update on operational resilience, the speech highlights issues such as:
- shortcomings in vulnerability management and information storage;
- poor configuration of IT infrastructure; and
- poor user account and password management.
The speech further notes how the last year has seen a shift in the nature of attacks towards exploits of third-party / outsourced relationships. Typically this has taken the form of ransomware attacks.
Against this backdrop, the speech signposts a new "cyber-stress test" to assess firms' operational resilience. The test will look at the response, and ability to restore functioning, after an incident. The PRA expects to more effectively monitor the ability firms and systems to recover in line with their impact tolerance (in a severe-but-plausible-scenario).
The next cyber-stress test will take place in 2022. It will cover a scenario where data integrity has been compromised within the end-to-end retail payments chain.
The speech also hints at the imminent publication by the Cross Market Operational Resilience Group (CMORG, co-chaired by the PRA and UK Finance) of:
- good practice to encourage consistency in how firms communicate incidents; and
- a framework mapping the coordination and information-sharing links among key response groups.
These measures are very much part of a growing patchwork of steps to address the complexity and fast-changing nature of cyber risk. Lyndon Nelson likened the issue to Escher's Penrose Steps and a "constant journey" of walking up the stairs and never reaching the top. The Penrose Steps may also be known as the impossible staircase - but effective industry-wide action to tackle cyber risk is very much possible. The measures being taken by the Bank of England and PRA are just part of that process.