But Nick Strange, BoE director of supervisory risk specialists, said individual firms may not be able to meet minimum requirements for restoring services like payments within the timescales to be set and tested by the Bank.
“It this were the case, then it would either fall to the public or private sector to come up with a collective solution,” Strange told a conference on operational risk.
“In the U.S., a private sector initiative has been set up called Sheltered Harbor to protect customers, financial institutions and public confidence in the financial system if a catastrophic event like a cyber attack causes critical systems, including backups, to fail.”
Under the industry-led, not-for-profit scheme launched in 2015, companies provide copies of customer account data to a centrally maintained vault.
Companies can designate other companies to restore critical customer data if they suffer a major hack or outage that they cannot recover from quickly.
“Although yet to be tested in a real cyber event, this shows that by working together innovative and ambitious solutions can be initiated within the sector itself,” Strange said.
Later this year, the Bank will pilot a cyber stress test of financial companies that includes an “impact tolerance” to assess how many customers and payments would be hit by an outage, and how quickly services could recover.
Disruption from last year’s IT upgrade at TSB bank served as an important reminder that banks need to be resilient to a wider range of operational issues than cyber, Strange said.
“We will be working with a small number of firms to ‘test the test’,” Strange said.