GCHQ should do more to guard against financial cyber crime, Tory MP urges

After Tesco Bank hack intelligence services urged not to let financial crime slip down priorities list

UK intelligence services need to do more to protect the financial sector from cyber attacks, says the head of the Treasury Select Committee.

Conservative Andrew Tyrie, who chairs the Committee, wrote to Ciaran Martin, the head of the National Cyber Security Centre (NCSC), on December 7th following an attack on Tesco Bank in November which saw money stolen from thousands of customer accounts.

Tyrie was critical of the complex chains of command and accountability within government and the intelligence services.

"It is for consideration whether a single point of responsibility for cyber risk in the financial services sector, with full ownership of - and accountability for - financial cyber-threats is now required," he wrote. "It may be necessary to create a line of accountability to the Treasury for financial cyber crime."

In the letter, which was released Monday, Tyrie said that the UK's defences against such attacks fall short of what's required, given the escalating nature of the threat.

"Legacy systems, human error and deliberate attack have resulted in unacceptable interruptions to vital banking services and weakened the public's confidence in the banking system as a whole. The recent attack on Tesco Bank is only the latest example of criminals exploiting vulnerabilities in the banking industry's IT systems," he wrote.

Tyrie is seemingly concerned that financial cyber crime might become a lower priority to the NCSC with state-sponsored attacks and counter-terrorism measures soaking up a majority of available resources.

"It is essential that the intelligence community gives the regulators the technical and practical support they need to do their job. This means making sure that financial cyber crime has a high priority, and is not subordinate to other work," he urged.

"Certainly, as millions of customers are exposed to the risks of cyber crime, a higher level of scrutiny and accountability for existing arrangements is needed."

The NCSC has said it will respond to the letter in the new year. The agency, which is part of GCHQ, was launched in September with a remit to tackle the threat to the nation from cyber attacks. Martin claimed that more than 200 "national security-level cyber incidents" per month are logged by the authorities.

In November technical director Ian Levy outlined eight ways NCSC would be seeking to address the issue of cyber attacks, most of which involve strengthening government infrastructure and responses, rather than being focussed on industries such as the financial sector. Indeed his lengthy blog post does not mention finance once.