Embed Size (px)
Citation preview
Treasury Committee House of Commons, Committee Office, 14 Tothill Street, London SWlH 9NB Tel 020 7219 5769 Fax 020 7219 2069 Email [email protected] Website www.par Iiament. uk/trea com
Sam Woods Esq. Deputy Governor for Prudential Regulation Bank of England Threadneedle Street London EC2R 8AH
28 September 2016
RESILIENCE AND SECURITY OF IT SYSTEMS IN FINANCIAL SERVICES
Earlier this year, your predecessor Andrew Bailey responded in writing to concerns of the
Treasury Committee about the resilience and security of information technology in financial
services. These concerns remain, along with a strong desire to see vigorous action from
regulators and banks to remedy these weaknesses.
Interruptions to the continuity of bank payments services are unacceptably common. It also
seems highly plausible that criminals are stealing money from the banks and their customers
by electronic means. Not all of these attempts may have been made known to the public.
Perhaps some a.re not known to the banks. Be~ring in mind t~at t?e banks' main job is to look
after their customers' money, and make it available to them, this is not a happy state of affairs.
The Committee is not aware of robust evidence that either of these serious weaknesses in our
banking system is on the mend. Mr Bailey's letter raises a number of further questions. ; . . ... .
Delineation of responsibilities for cyber-security. The PRA and FCA are undertaking
further work to achieve a "clear articulation of the responsibilities of e<;1ch authority"' . . .
regarding cyber-security. This suggests that you do not, at present, have well-defined • ; ? '
responsibi~ities when it comes to cyber-security and resilience. Does it also mean that neither
authority has the capacity to address the problems of cyber-security? .1re you confide;11t that .
between you, you ~ave all the information you need to assess the scale of criminal attempts to
steal money from financial institutions or their customers by electronic means? Will a clear
allocation of responsibilities be fully settled for the launch of the National Cyber Security
Centre, scheduled for October? It is intended that the Centre will work with the Bank of
England to produce advice for the financial sector on managing cyber-security effectively.
Improvement plans and senior management. In his letter, Andrew Bailey said that "PRA
supervision teams have been working with firms to agree improvement plans" for their cyber
security and resilience. A recent KPMG survey found that 12 per cent of bank CEOs do "not
have insight into whether their institution's security has been compromised by a cyber
attack".1 Given the great importance of cyber-security and continuity of service to banks and
their customers, it is indefensible that some CEOs are unaware of such matters. Does the
Senior Managers Regime require banks to have an explicit senior management function with
responsibility for information technology? It probably should.
Vulnerability ofSWIFT. Earlier this year, hackers fraudulently obtained access to the SWIFT
secure inter-bank messaging system, to steal $81 million from a Bangladeshi bank by means
of fake transaction orders. It now transpires that more such thefts have occurred. Hackers
have been exploiting vulnerabilities in the security systems of other banks which use the same
system. This leaves UK banks and their customers open to large-scale losses. What have you
done to ensure that inadequate security measures at banks participating in SWIFT are
urgently addressed? Is there merit in clarifying that banks who do not take measurable steps
to remedy will face regulatory action?
Identity fraud. Online banking fraud is now the second largest category of payment fraud,
behind card fraud. Several banks are now allowing customers to access their accounts online
after verifying their identity using biometric data. It has been put to the Committee that
biometric data can be relatively easily obtained by fraudsters. What is your assessment of the
security of remote and online banking applications, and in particular the use of biometric
information to verify customer identities? By definition, even when compromised biometrics
cannot be changed by the customer. If so, banks - and regulators - will need to plan for what
1 https://home.kpmg.com/us/en/home/insights/2016/05/12-of-banking-ceos-dont-know-if-thei!-bank-hasbeen-hacked-kpmg-survey.html
they will do if customer biometric details are lost and/or illegally obtained by third parties.
They will also need to consider how affected customers would be compensated; they may be
unable to persuade their banks to release all the technical details needed to pursue their claim
in court. Are you concerned about this? If so, what is being done?
FCA in-house expertise. The PRA and FCA undertake supervision of the security and
resilience of firms' IT systems using in-house specialists, or by commissioning Skilled Person
reviews under section 166 of FSMA. In total, the PRA and FCA combined have
commissioned six such reviews for "Lot 6" (data and IT infrastructure) matters since April
2013. This implies that both regulators are broadly satisfied that they possess the necessary
skills internally to identify, assess and address risks in the financial services sector's IT
systems, or at least to understand the reports of expert consultants and their implications.
The Committee would appreciate further information and assurance about the depth of
experience of your in-house specialists.
Cross-sectoral and international challenges. The challenges faced by financial institutions in
the field of cyber-security are similar to those faced in other countries, and in other sectors
(notably transport and industry). A domestic cross-sectoral approach could be helpful to both
the regulators and regulated entities, and - if published and consulted on - could also help to
reassure the public that the threats of cyber-crime were being managed effectively. What
discussions have been held by the FCA or PRA with other regulators, domestic or
international?
I am writing in similar terms to Andrew Bailey. I will be placing this letter, and your response
in due course, in the public domain.
RT HON ANDREW TYRIE MP
CHAIRMAN OF THE TREASURY COMMITTEE
