Connect with us

Hi, what are you looking for?


Security Infrastructure

New Framework Helps UK Banks Test for Cyber-Weaknesses

New Framework Helps UK Financial Institutions Improve Resilience to Cyberattacks

New Framework Helps UK Financial Institutions Improve Resilience to Cyberattacks

A new cybersecurity framework has been launched to help financial institutions in the United Kingdom test their systems for vulnerabilities and strengthen their resilience to cyberattacks, the Bank of England announced on Tuesday.

The new framework, dubbed CBEST, has been developed by the Council for Registered Ethical Security Testers (CREST), a not-for-profit organization that represents the technical information security industry, various UK financial authorities and other organizations.

Similar to the Waking Shark II cyber exercise conducted last year, CBEST comes in response to recommendations by the Financial Policy Committee to improve and test resilience against cyber-attacks.

CBEST is designed to help boards, infrastructure providers and regulators understand the threats faced by the financial sector. The framework also aims at testing the effectiveness of detection and recovery processes, CREST said.

Unlike other cybersecurity tests conducted by the financial services sector, CBEST is based on threat intelligence, which ensures that simulations are as close as possible to real threat scenarios. Moreover, the testing focuses on sophisticated and persistent attacks against essential services and critical systems. 

“Although existing penetration testing services in the financial services sector have provided a good level of assurance against traditional attacks, they do not address more sophisticated cyber attacks on critical assets,” commented Ian Glover, president of CREST.

Advertisement. Scroll to continue reading.

“CBEST tests have been designed to replicate the behaviours of serious threat actors, assessed by Government and commercial intelligence providers as posing a genuine threat to important financial institutions.”

The key benefits of CBEST are access to advanced cyber threat intelligence, skilled intelligence analysts, qualified penetration testers, benchmarking information, and standard key performance indicators that indicate an organization’s ability to detect and respond to cyberattacks.

“The idea of CBEST is to bring together the best available threat intelligence from government and elsewhere, tailored to the business model and operations of individual firms, to be delivered in live tests, within a controlled testing environment,” Andrew Gracie, the executive director of resolution at the Bank of England, said in a speech at the British Bankers’ Association.

“The results should provide a direct readout on a firm’s capability to withstand cyber-attacks that on the basis of current intelligence have the most potential, combining probability and impact, to have an adverse impact on financial stability.”


Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.