Banks ordered to bolster cyber defences by FPC

'Concrete plan' by banks to handle cyber attacks to be handed to Financial Policy Committee in six months

Banks have been ordered by the Financial Policy Committee (FPC) to devise a way of toughening up their cyber defences in the next six months, because of the growing threat of cyber attacks.

Minutes of last month's FPC meeting involving the Bank of England revealed that the Treasury is already working on a programme to assess, test and improve the financial system's resilience to cyber attacks.

It said that the financial system had a number of potential vulnerabilities as result of its "high degree of interconnectedness, its reliance on centralised market infrastructure and its sometimes complex legacy IT systems".

At the same time, the cyber threat had "many dimensions and was growing", the FPC said.

The committee had warned banks in June of the need of boards of financial firms and infrastructure providers to recognise the importance of the threats, suggesting that it should not just be a matter for the IT department and the CIO to address.

The minutes said that the boards "required a combination of continuous vigilance and investment to strengthen operational resilience".

The next step was for the banks and infrastructure providers to come up with a "concrete plan" by the end of the first quarter of 2014, with a progress report handed to the FPC at the end of 2013.

As part of these steps, the Bank of England said that it would be reviewing its own resilience.

The need for the UK's financial services sector to invest in IT infrastructure to identify and mitigate risks has been talked about for some time. In August last year, a report by the trade association of the UK technology sector, Intellect, found that banks' IT infrastructure was "not fit for purpose".

Peter Armstrong, director of the cyber security sector at Thales UK, believes that organisations that prepare for the FPC's 2014 compliance deadline now will gain a competitive edge.

Meanwhile, Chris McIntosh, CEO of security firm ViaSat, believes that banks need to assume that they have already been compromised and act accordingly.

"With incidents such as the attacks on Barclays and Santander still fresh in the mind and these attacks becoming increasingly common, it's good to see the Bank of England taking swift measures to protect the UK's banking system. However, rather than waiting for the next data breach to occur, the UK's banks need to realise that they have likely already been compromised and need to work back on this basis," he said.