In case of emergency
What more could have been done to lessen the effects of the attack?Imagine this scenario: major disruption has hit the high street. People are unable to withdraw cash from ATMs and businesses cannot take card payments. It emerges that some large banks are struggling to function because unknown rogue elements have hacked a major cloud services provider.
Outsource cloud provider
Cloud service providers are not directly regulated but have service level agreements with banks. These agreements must be carefully negotiated as they include what the provider and bank must do in the event of problems.
But if multiple banks are affected, who gets back online first? Would a US provider prioritise US banks?
Who checks cloud providers
- Banks may not learn about the provider’s issues or past incidents.
- Accountability lies in service level agreements. Banks need to understand how their contracts work in challenging times.
- Cloud providers’ servers may be situated in difficult locations – like under the sea.
Using the cloud is cheaper, faster and more flexible than on-site technology, but the cloud service market is concentrated (Amazon Web Services and Microsoft dominate). This presents a risk if too many banks rely on the same service provider.
Banks may have insurance policies that cover some attacks and events but how they work is not always clear.
Boards may lack the skills and understanding of cyber risk and cloud computing to effectively oversee decisions.
What should boards do?
- ICAEW Financial Services Faculty’s report Information overload: effective boards and committees in financial services can help businesses understand how to cope with new risks.
- Increase diversity of skills, perspectives and experience to ensure they can understand and can effectively manage these risks.
Regulators make sure banks are responsible for their outsource arrangements. However, when multiple banks are affected at once, consequences may be more severe. They do not do tests on the basis of everyone using the same providers and the risk that could present.
The UK banking system is subject to an annual financial stress test and a cyber stress test will take place later in 2019.
The Bank of England uses the CBEST framework to simulate cyber-attacks on banks.
What should regulators do?
- Undertake more integrated stress testing.
- Ensure an effective dialogue with banks and their auditors, both separately and together.
- Look at how the financial world is changing, and the effect of peer-to-peer lending and non-banks on the system as a whole.
Auditors look at the financial statements and how the bank puts them together – this includes using information from the cloud provider. They also give an opinion on if the business is going to survive next year. Cyber-attacks are unpredictable in timing and nature, but can mean that a business is disrupted. So why don’t auditors tell us more about when a business may be at risk? Auditors test systems and controls, which play a role in preventing attacks (of which, thousands are attempted daily), but this is not a wholesale review of cyber defences.
How should audit change?
- The Brydon review will look at how audit will evolve.
- Professional scepticism is key to a successful audit. ICAEW’s latest report can be found here.
Who would this impact?
May not be able to withdraw cash at ATMs or make card payments.
Payment runs could fail, affecting businesses, employees and suppliers
Derivatives and other contracts might not get settled, inhibiting business activity.
Everyone has a role to play in dealing with new and important risks. While these might seem unlikely, the consequences affect everyone. Understanding more what banks, auditors and regulators can do is part of an ongoing project at ICAEW. If you would like to get involved, contact email@example.com