Simply CBEST – regulators highlight senior manager responsibility for cyber security

On the 31st of Jan 2023, the supervisory teams of the Bank of England, the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) sent an email to all Senior Managers with responsibility for cyber.

What did this email contain?

The email summarised the thematic findings from the last annual cycle of CBEST assessments conducted by the Bank of England, the PRA and the FCA on participating banks, insurers, asset and investment managers and Financial Market Infrastructure. 

What is ‘CBEST’?

  • CBEST is a framework for intelligence-led penetration testing.
  • It focuses on an organisation’s security controls and capabilities when faced with a simulated cyber-attack.
  • Simulated attacks are tailored to the threat and vulnerability profile of each organisation and represent an evidence-based and robust testing approach. 

How did the regulators capture their findings?

They collected data from over three hundred and fifty penetration tests conducted on fourteen firms.  Using this data, they identified trends and findings symptomatic of the sector’s current cyber-posture and presented common control weaknesses.

What is the purpose of these findings?

  • Ensuring that firms benefit from shared knowledge about identified weaknesses – enabling them to address potential similar weaknesses within their own firms.
  • Raising awareness of the importance of cyber-security generally amongst senior executive teams.
  • Informing the work of risk and internal audit functions within firms.

You should be aware that regulators may use these findings to structure future supervisory interaction as well as trying to understand the level of engagement firms have achieved with the senior executive team, risk and audit functions on the issues identified as in need of remediation. 

Why is this important to you?

If you are a senior manager who has a responsibility for cyber security you need to be aware of these thematic findings. More generally, you are subject to the Duty of Responsibility – meaning that you must take ‘reasonable steps’ to ensure that a breach does not occur in the area of the business for which you are responsible. You will need to identify cyber vulnerabilities with your area of responsibility, develop a remediation plan, and implement that plan in good time. Just as important, you must evidence the steps that you have taken. Regulators take the view that “if it isn’t evidenced, it didn’t happen” – a properly documented audit trail only way in which you can hope to discharge the legal obligation to which you are subject. 

How can we help?

Corterum enables you to manage and demonstrate SM&CR compliance. It will save you time.  It will enhance the robustness of internal processes.  It will give you personal protection.

Compliance with the SM&CR doesn’t have to be complex. If you are interested in learning more and getting on top of your cyber regulatory requirements then get in touch with us.