The Bank of England and the Prudential Regulation Authority have written to PRA-regulated firms and relevant financial market infrastructures (FMIs) setting out thematic findings from the 2024 Cyber Stress Test, a voluntary and exploratory exercise that modelled a suspected cyber-attack affecting the integrity of transaction settlement. Firms are expected to consider the findings, and the annexed test materials, as part of implementing operational resilience policies and assessing financial stability impacts. The exercise tested suspected, confirmed and longer-duration cyber scenarios and assessed operational, financial and confidence effects. Participants showed mature modelling and response capabilities, but most did not have a mature understanding of the Financial Policy Committee’s (FPC’s) payments impact tolerance or how response decisions could, in some scenarios, contribute to financial instability. The letter highlights practical mitigants and barriers, including the use and testing of workarounds with FMIs, the need for data and processes to identify and prioritise transactions that matter for market integrity and financial stability, and the importance of sector coordination and clear communications under the Sector Response Framework. It also flags liquidity risks from failed settlement, limits on providers’ ability to extend credit in a prolonged incident, and the financial stability implications of firms’ disconnection and reconnection choices, including the possibility that third-party assurance timelines could exceed impact tolerances. Next steps focus on firms and FMIs integrating the lessons alongside their own testing and real-incident learnings into continuous improvement. Participant confidentiality may now be relaxed, and participating firms are encouraged to share their experience with customers, sector groups and home state regulators.

Original source View in tracker