Security Experts:

New Framework Helps UK Banks Test for Cyber-Weaknesses

New Framework Helps UK Financial Institutions Improve Resilience to Cyberattacks

A new cybersecurity framework has been launched to help financial institutions in the United Kingdom test their systems for vulnerabilities and strengthen their resilience to cyberattacks, the Bank of England announced on Tuesday.

The new framework, dubbed CBEST, has been developed by the Council for Registered Ethical Security Testers (CREST), a not-for-profit organization that represents the technical information security industry, various UK financial authorities and other organizations.

Similar to the Waking Shark II cyber exercise conducted last year, CBEST comes in response to recommendations by the Financial Policy Committee to improve and test resilience against cyber-attacks.

CBEST is designed to help boards, infrastructure providers and regulators understand the threats faced by the financial sector. The framework also aims at testing the effectiveness of detection and recovery processes, CREST said.

Unlike other cybersecurity tests conducted by the financial services sector, CBEST is based on threat intelligence, which ensures that simulations are as close as possible to real threat scenarios. Moreover, the testing focuses on sophisticated and persistent attacks against essential services and critical systems. 

“Although existing penetration testing services in the financial services sector have provided a good level of assurance against traditional attacks, they do not address more sophisticated cyber attacks on critical assets,” commented Ian Glover, president of CREST.

“CBEST tests have been designed to replicate the behaviours of serious threat actors, assessed by Government and commercial intelligence providers as posing a genuine threat to important financial institutions.”

The key benefits of CBEST are access to advanced cyber threat intelligence, skilled intelligence analysts, qualified penetration testers, benchmarking information, and standard key performance indicators that indicate an organization’s ability to detect and respond to cyberattacks.

“The idea of CBEST is to bring together the best available threat intelligence from government and elsewhere, tailored to the business model and operations of individual firms, to be delivered in live tests, within a controlled testing environment,” Andrew Gracie, the executive director of resolution at the Bank of England, said in a speech at the British Bankers’ Association.

“The results should provide a direct readout on a firm’s capability to withstand cyber-attacks that on the basis of current intelligence have the most potential, combining probability and impact, to have an adverse impact on financial stability.”


view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.