LONDON (Reuters) - Britain’s banks may have to comply with the world’s first set of rules for coping with cyber attacks and other outages, Bank of England Deputy Governor Sam Woods said on Tuesday.
The theft of 2.5 million pounds from 9,000 customers of Tesco Bank (TSCO.L) last November rang alarm bells for regulators and put cyber security high up on their priority list.
Woods said a landmark case like that of Tesco Bank, where money was actually stolen from customers accounts, it is important to ensure the bank has enough capital to safeguard customers - but this was not enough.
While UK banks like HSBC (HSBA.L), Barclays (BARC.L), Lloyds (LLOY.L) and RBS (RBS.L) have had to undergo specific cyber resilience tests set by the BoE, Woods thinks that more needs to be done as the number of serious cyber attacks on financial firms rises.
The regulators’ “emergency” response system has been triggered six times in the past 12 months alone, Woods told the Reuters Financial Regulation Summit.
New, so-called “operational resilience” rules would spell out what systems at a firm underpin critical services, and the “tolerance” level for an outage before regulatory intervention.
“We need to ask ourselves, because no IT system is absolutely perfect, what is the degree of outage that is acceptable,” Woods said.
He foresees three levels of “tolerance”, the lowest for activities regulated by the Financial Conduct Authority, whose core aim is to protect consumers.
A second layer would be monitored by the BoE’s Prudential Regulation Authority, which Woods heads, and looks at whether the solvency of the firm being hacked remained robust enough.
A third layer would be set by the BoE’s Financial Policy Committee, which monitors threats to wider financial stability.
“At the moment nowhere in the world has anyone articulated a view on that stuff, and we are going to attempt to do so,” Woods said.
“It is extremely challenging, but I think we need to build that or we don’t have a solid basis to deal with this stuff.”
Woods expects the issue to be discussed at the FPC and PRA by the end of this year or early in 2018, depending on how the initial thinking develops.
“The reason I am cautious is because this is really an entirely new field of work. It is a greenfield site in regulatory terms,” Woods said.
“So as we go through it, I think it is possible we have to have several runs at it to get it right because we don’t want to agree something, impose something and then decide that it was really down the wrong track.”
Reporting by Huw Jones. Editing by Jane Merriman