Peter Hahn, senior fellow in banking at London’s Cass Business School, and a former senior adviser to the Bank of England, recently remarked that everyone should have two bank accounts in case one is crippled by a security breach. He added that while Britain’s banks “were certainly safer” now than they were before the financial crisis, the risk of cyberattacks on their systems posed an increasingly dangerous threat.
Hahn’s comments came during an interview with the BBC’s Today program ahead of the Financial Stability report published by the Bank of England’s Financial Policy Committee, which identifies ‘cyber risk’ among the five most prominent dangers facing the sector.
The rise of cybercrime
The risk of cyberattacks has increased over the years, so much so that when the ONS recently began to include incidences in national crime statistics, the incidence of crime soared 107%. To guard against this, and to test banks’ abilities to withstand such attacks, the UK Financial Authorities, in conjunction with the Council for Registered Ethical Security Testers (Crest), have devised a testing framework known as CBEST.
CBEST was introduced to the industry in May 2015 during an event hosted by the Bank of England, and is designed to provide a “holistic assessment of a financial services or infrastructure provider’s cyber capabilities by testing people, processes and technology in a single test”.
CBEST, the Bank of England, and how to protect consumers’ money
While this is a strong step in the right direction, CBEST’s robust certification requirements are overshadowed by the fact that performing an assessment is entirely voluntary, despite the Bank of England’s concession that the test is critical to maintaining the integrity of the financial system. As a result, CBEST tests don’t provide a certification standard for the financial services institution itself. This is in contrast to the Payment Card Industry Data Security Standard (PCI DSS), which is compulsory, and a means of certification of individual institutions.
The BoE is making the right noises by supporting the CBEST cybersecurity testing, but the process shouldn’t be voluntary. Just as banks are required to complete financial ‘stress tests’, they should, from a regulatory perspective, be required to complete cybersecurity stress tests. In addition, which banks have successfully completed CBEST and which ones haven’t should be made known to the public in order for customers to make informed decisions on who they entrust their money to.
How to make bank accounts more secure
Hahn’s comment that multiple bank accounts are safer than one may be true if the risk is spread across accounts with equal levels of protection against cyberattacks. However, since it’s not clear which institutions have completed a CBEST assessment, and it’s not mandatory for them to do so, it’s a potentially false claim. It would be far better for customers to have the confidence to deposit their money in one secure bank account than two (or more) potentially unsecured ones.
There’s a clear need for the public to have a way to rate the security of the bank they’re doing business with. In the cyber world, this can be difficult to gauge, so the regulator should provide a cybersecurity rating based on CBEST and make the test a standard requirement of the financial services industry. By cooperating around such a standard, the industry will be able to deliver a stronger collective response to the cybercrime threat than any single company could do alone. While this isn’t yet reality, upcoming changes in the regulatory landscape may change the situation for the better.
Making data security a priority
Perhaps fortunately for customers, new EU Data Protection Regulations are expected to be ratified by the end of the year, and following this there will then be a two-year transition period for all systems in the EU to become compliant before enforcement starts. The new compliance requirements will include the stipulation that data security becomes an overriding priority, with safeguards having to be built-in to products and services from the earliest stages of development. The pan-European regulations will enforce, among other things, that if the regulations are broken, fines of up to 5% of global revenue, or EUR 100m, can be levied.
It is hoped that the introduction of these regulations will be the impetus required for the regulator to up their game in terms of making real changes to the regulatory environment. Banks must provide the necessary safeguards against cybercrime, ensure these safeguards are mandatorily required to be subjected to and meet the standards of CBEST assessments, and adopt a rating system based upon it. This way, the consumer will be empowered to make not only an informed choice, but an accurate one in terms of banks’ abilities to withstand cybersecurity threats.