The Bank of England has published the findings of a war-gaming exercise that saw banks trying to defend against a theoretical cyber-attack from a hostile nation.
The war-gaming exercise, dubbed "Waking Shark II", was held in November last year and was designed to rehearse the response of the banking sector — including investment banks and key financial market infrastructure — to a concerted cyber-attack. The Bank of England's report said the event "successfully demonstrated cross sector communications and coordination", but said it also identified some issues to be addressed.
Around 220 people were part of the event — including 14 banks, six financial market infrastructure providers — as well as the Bank of England, Financial Conduct Authority, HM Treasury and other government agencies.
The report noted that the objective was to place the banking sector "under severe stress" and as such it admitted that some of the elements it featured "were extreme relative to the cyber-attacks that have been seen to date".
The scenario of Waking Shark II was a concerted cyber-attack against the UK financial sector by a hostile nation state "with the aim of causing significant disruption/dislocation within the wholesale market and supporting infrastructure".
It was set over a three-day period, the last day of which happened to coincide with a so-called 'Triple Witching' when contracts for stock index futures, stock index options and stock options all expire on the same day.
The three-day period was broken into phases, playing out various technical and business impacts from the scenario and how firms would manage their response to the cyber-attacks both on a technical level and from a business perspective. The event was designed to test communications rather than the actual defences of the individual banks.
Attack scenarios included denial of service attacks, which caused the firms' global websites and certain other internet-facing systems to be unresponsive or intermittently available, plus attacks that penetrated the firms' networks for disruptive and destructive purposes.
Also thrown into the mix were issues with end-of-day market data pricing files for some equities markets, causing challenges with overnight risk and margin calculations, problems with the clearing process and the processes used to instruct payments through agent banks and manage balances in accounts at agent banks.
Among the recommendations to come out the event was that a single body should be chosen to manage communications across the sector during such an incident. The report also noted that the participants did not report the cyber-attack to the police during the exercise and noted: "The types of attack witnessed during the Waking Shark exercise would constitute a criminal offence and organisations will be reminded of the need to report such incidents to the appropriate authorities, including law enforcement."