The Bank's 2013 systemic risk survey saw a 10 per cent increase in concerns regarding operational risk (the highest since the survey began), with the risk of cyber terrorism cited by 24 per cent of respondents.
Speaking today, the Bank's executive director for resolution, Andrew Gracie, says that "cyber presents new challenges" different from traditional disruptions, such as conventional terrorism or natural disasters.
Gracie says that unlike "fires and floods, we know there are agents out there – criminals, terrorist organisations or state sponsored actors – that have the will, if not necessarily the means, to attack the system." More often than not attackers will be motivated by economics, says Gracie, and they will seek "to defraud banks or their customers or to extract information".
Barriers to entry for digital fraudsters remain low, and attacks are easily scalable. And unlike traditional physical attacks, a hypothetical cyber attack could be more difficult to contain. While firms already have defences in place against threats such as armed robbery or bomb threats, many remain exposed to these cyber assaults.
In June, a report from the Center for Strategic and International Studies (CSIS) found that cyber crimes costs the UK economy around £2.6bn each or year, or 0.16 per cent of GDP, with worldwide damage exceeding £260bn annually. That in turns hinders British trade, competiveness, and innovation, says the CSIS.
But in responding to these threats, it can be hard to tackle specific attacks. "Low level attacks are now not isolated events but continuous," says Gracie, meaning that "cyber defence as a result has become not a matter of designing a hard perimeter that can repel attacks but detecting where networks have been penetrated and responding effectively where this occurs".
The Bank's solution? The bespoke CBEST vulnerability testing framework. Launched in May, it'll be deployed to allow firms to test for any areas in which they are vulnerable. Its unique selling point? It funnels intelligence directly from UK government agencies, with support from commercial intelligence providers.
While participation is voluntary, the Bank of England expects take-up to be "significant". Gracie says that CBEST is to "bring together the best available threat intelligence from government and elsewhere, tailored to the business model and operations of individuals firms, to be delivered in live tests, within a controlled testing environment."