New cybercrime tests for banks

The Bank of England has stepped up its efforts to protect the UK's financial institutions from cybercrime with a new testing framework to spot vulnerabilities.

The Bank says hacking represents a growing risk for the financial sector.

The new tests will combine government intelligence about existing cyber-threats with those that the security industry assesses to be risks.

It is expected that the voluntary tests will be widely adopted.

The new cybersecurity strategy, known as CBEST, is the first of its kind for the financial services sector and tests will begin this summer.

"The results should provide a direct readout on a firm's capability to withstand cyber-attacks," said Andrew Gracie, the Bank of England's executive director of resolution.

James Chappell is chief technology officer at Digital Shadows, one of the security firms taking part in the tests. He explained how they would differ from previous vulnerability testing:

"Previous tests were carried out by a geeky guy who tried various technical ways to get into a system and then presented a report to the bank.

"These tests will mimic the behaviour of the bad guy, whether that be a hacktivist, organised crime or a nation state, it will emulate the same techniques they would use."

In a speech to the British Bankers' Association cyber-conference in London launching the new framework, Mr Gracie warned that banks needed to be better prepared to counter cyber-attacks.

"Cyber presents new challenges. Unlike other causes of operational disruption like fires and floods, we know there are agents out there - criminal, terrorist organisations or state sponsored actors, that have the will, if not necessarily the means, to attack the system.

"Low-level attacks are now not isolated events but continuous. It is clear that the risk is on the rise and a growing cause of concern to industry and authorities alike."

According to the Bank of England's Systemic Risk survey, during 2013 there was a 10% increase in concerns about cyber-attacks among banks.

In December, the Royal Bank of Scotland admitted its platform was briefly attacked by hackers while one unidentified London-listed company incurred losses of £800m in a cyber-attack a few years ago.

Results of the tests are unlikely to be made public.