Financial services companies will be subject to “cyber stress tests” to establish if they could recover in the event of a major breach, the Bank of England said today.
The bank is establishing new standards for how long a bank’s ability to deliver key services such as providing payments and insuring against and dispersing risk would take to recover.
It described this period as the “impact tolerance” and said its goal was to mitigate “systemic risk’ to the financial system.
For example it said disruption to a bank’s payments could have an impact on the real economy by preventing customers of that bank from paying for things and accessing their money.
Working with the National Cyber Security Centre, the bank plans to test financial services companies’ abilities to recover in the event of a major cyberattack.
It said these “cyber stress tests” would be “severe but plausible”.
Firms subject to stress testing will need to demonstrate their ability to meet the standards for “impact tolerance”.
Where firms fail these tests they will have to agree remedial action plans to improve their ability to face similar situations in the future.
The bank said it would start with a pilot scheme focused on payments next year, but did not say which companies would be included in the test.