Bank of England unveils cyber security framework

Malicious code

The Bank of England has launched an IT security framework aimed at helping the wider financial services sector prepare itself for the onslaught of a cyber attack.

The CBEST framework is designed to help financial services organisations share details of prospective threats, ensure their defences can withstand a sophisticated and persistent cyber attack, and help them pinpoint vulnerabilities within their infrastructure.

Companies are set to be provided with detailed information about security threats, realistic penetration testing schemes, and the expertise of cyber threat intelligence analysts.

The initiative was announced today by Andrew Gracie, executive director of resolution at the Bank of England, who confirmed the framework would have access to threat intelligence reports from the government and private sector.

"The idea of CBEST is to bring together the best available threat intelligence from government and elsewhere, tailored to the business model and operations of individual firms, to be delivered with live tests, within a controlled testing environment," he said.

"The results should provide a direct readout on a firm's capability to withstand cyber attacks that on the basis of current intelligence have the most potential, combining probability and impact, to have an adverse impact on financial stability."

The framework's creation has been overseen by the Bank of England, the Treasury and the Financial Conduct Authority, and has also featured input from not-for-profit information security group CREST.

The organisation has been heavily involved with developing new accreditations for the penetration testing aspect of the framework.

Ian Glover, president of CREST, explained: "Although existing penetration testing services in the financial services sector have provided a good level of assurance against traditional attacks, they do not address more sophisticated cyber attacks on critical assets.

"CBEST tests have been designed to replicate the behaviours of serious threat actors, assessed by Government and commercial intelligence providers as posing a genuine threat to important financial institutions."

Caroline Donnelly is the news and analysis editor of IT Pro and its sister site Cloud Pro, and covers general news, as well as the storage, security, public sector, cloud and Microsoft beats. Caroline has been a member of the IT Pro/Cloud Pro team since March 2012, and has previously worked as a reporter at several B2B publications, including UK channel magazine CRN, and as features writer for local weekly newspaper, The Slough and Windsor Observer. She studied Medical Biochemistry at the University of Leicester and completed a Postgraduate Diploma in Magazine Journalism at PMA Training in 2006.