Cyber Incident Response Plan for Banks in the UK | GBAF | GBAF

Cyber Incident Response Plan for Banks in the UK | GBAF | GBAF

Editorial & Advertiser disclosure

Global Banking and Finance Review is an online platform offering news, analysis, and opinion on the latest trends, developments, and innovations in the banking and finance industry worldwide. The platform covers a diverse range of topics, including banking, insurance, investment, wealth management, fintech, and regulatory issues. The website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website.

Home > Top Stories > THE SCENARIO: A CYBER-ATTACK ON A MAJOR LONDON-BASED BANK.

THE SCENARIO: A CYBER-ATTACK ON A MAJOR LONDON-BASED BANK.

Published by Gbaf News

Posted on June 11, 2014

4 min read

Last updated: January 6, 2025

THE SCENARIO: A CYBER-ATTACK ON A MAJOR LONDON-BASED BANK. - Top Stories news and analysis from Global Banking & Finance Review

By Ted Julian, security expert and CMO of Co3 Systems

Details known: Very few.

Initial steps: Stop the bleeding and assume the worst.

When a cyber incident is discovered, organizations often don’t have all the facts initially. This can pose a major challenge to those charged with incident response. Given this reality, what should be done first? Of course, organizations should already have a plan in place for dealing with potential security incidents. Having a plan and following it will help to calm the initial chaos. But what steps must be taken as part of that response plan? And what about banks unique breach response requirements like those required by regulators and the risk of financial harm both to customers and the bank itself?

Ted Julian, CMO, Co3 Systems

Ted Julian, CMO, Co3 Systems

To answer these questions, we simulated a cyber breach using the Co3 platform. We modeled a worst-case system intrusion in order to highlight potential disclosure requirements as part of the broader response effort. We indicated that the breach included the compromise of unencrypted, personally identifiable information (financial information, to be exact), thereby creating foreseeable harm to bank customers.

Specifically, our simulated breach parameters included:

Incident type: System Intrusion
Personally Identifiable Information involved: Yes
Harm foreseeable: Yes
Data encrypted: No
Data types involved: first and last names, addresses, phone numbers, email addresses, financial account numbers, and passwords
Number of records involved: 100,000

The resulting response plan includes 37 tasks broken into the following categories:

Engage Phase: 5 tasks
Detect/Analyze Phase: 13 tasks
Respond Phase: 8 tasks
Data Breach – Authority Notifications: 3 tasks
Data Breach – Individual Notifications: 1 task
Data Breach – General: 1 task
Post-Incident Phase: 6 tasks

IT-related, “stop the bleeding” tasks include items like collecting system data, analyzing intruded systems and network traffic, and creating backups of affected systems. In addition, known vulnerabilities should be evaluated and any other intelligence that may be available should be consulted.

From a breach notification point of view, the risk of harm is a key factor. According to guidance issued by the Information Commissioner’s Office (ICO), organizations that experience a data breach must look at the potential harm to those involved when deciding whether or not to disclose the breach to consumers or regulators. The ICO provides a list of details to consider when making such an assessment. Some things to consider are what type of data is involved and how sensitive is it? Are there protections in place, such as encryption? What harm can come to those individuals? Are there risks to physical safety or reputation, of financial loss or a combination of these and other aspects of their life?

Financial institutions in the UK have an additional step when it comes to data breaches. According to the Financial Services Handbook, banks and other financial firms must notify either the Prudential Regulatory Authority or the Financial Conduct Authority, as appropriate, as soon as it becomes aware of “any matter which could affect the firm’s ability to continue to provide adequate services to its customers and which could result in serious detriment to a customer of the firm”. Clearly, a system intrusion at a financial institution that results in unauthorized access to or acquisition of personal data falls under that category. When notifying the regulator, the notice should contain information and circumstances about the breach, as well as any steps that the firm has taken or intends to take to rectify or remedy the breach or prevent any future potential occurrence.

As you can see from this exercise, cyber attack incident response spans not only a range of IT systems and processes, but also – and this is crucial for banks – a multitude of regulatory requirements, potentially including privacy breach disclosure. As such, effective incident response must span all of these functions and include representation from across the organization: IT, legal, compliance, privacy, marketing, HR, and so on. The only way to ensure the effectiveness of such a far ranging exercise is through practice.