The Bank of England, together with the Financial Conduct Authority and the Prudential Regulation Authority, has cautioned U.K. banks to prepare for cyberattacks and technical failures.
The warning came in a discussion paper (pdf) that urges U.K. banks to assume such incidents will occur and ensure systems can handle such disruptions. The advice comes a month after Visa suffered a hardware failure that affected payment processing across Europe for several hours on a Friday.
Separate issues at TSB Bank, where migration to a new platform resulted in disruption lasting weeks, serve as a good reminder that the Bank of England isn’t being overly cautious here. Cyberattacks such as WannaCry or NotPetya, as well as recent wiper attacks, have shown how much damage a single attack can do.
Of course, banks should do everything possible to prevent cyberattacks from hitting them in the first place, but it has long been considered good security practice to build systems so that their critical parts continue to work, even when an attack or a compromise has taken place.
Just like financial stress tests, where a financial institution’s ability to deal with an economic crisis is determined, have become common for banks around the world, IT stress tests may soon become a regular feature for the financial industry.
Given its leading position in global finance, and given its complicated relationship with Russia — which is believed to be behind various prominent cyberattacks — the U.K. has a strong incentive to ensure its banks can withstands attacks and technical failures, and thus lead the world in these kinds of stress tests.