Treasury Committee chair calls for bank cybersecurity watchdog
The levels of cybersecurity employed by banks came under fire on Thursday morning, with Andrew Tyrie MP, chairman of the Treasury Committee, calling for a single point of responsibility to oversee the systems in place at financial institutions.
Tyrie had written again to Chancellor Philip Hammond, saying the lines of responsibility and accountability for reducing cyber threats remained “opaque”.
He said the Chancellor had previously stated that both a director-level group and a “governance framework” provided a single point to address cyber issues in the finance sector, but he still did not understand who was in charge.
“Is it the Director or does the framework take precedence? Who is he or she?
“A headless framework scarcely inspires confidence,” Tyrie quipped.
He added that it sounded “perilously resonant” of the “catastrophically inadequate and headless” Tripartite authorities, set up to monitor system risk in banking in 1997.
The Tripartite system was set up in 1997 to share responsibility for financial regulation between the Financial Services Authority, HM Treasury, and the Bank of England.
“The problem with such committees and frameworks is that all too often they only get the attention they deserve after a crisis – when it’s too late. This must not be permitted to happen in the case of financial cyber risk.
“It is essential that the intelligence community, regulators and wider Government are coordinated in making sure that financial cyber crime has a high priority, and is not subordinate to other work.”
Tyrie said any lack of coordination would inevitably lead to greater opportunities for criminals to exploit vulnerabilities in the banking industry’s IT systems, which were already under “frequent attack”.
“A single point of responsibility for cyber risk in the financial services sector – with a direct line of accountability to a single official, in turn accountable to a single minister, such as the Chancellor – is now required.”
It was a the latest chapter in a long line of questions brought by Tyrie in the area of bank cybersecurity, after he wrote to the regulators in January of last year, urging them to take action to ensure that banks improve the resilience and security of their systems and IT expertise.
He pointed out at the time that between June 2015 and January 2016, RBS, Barclays and HSBC suffered failures connected to their IT systems.
On the basis of the evidence he said he gathered from the chief executives of those banks, and of expert advice, Tyrie wrote to the FCA, PRA and the Chancellor in January 2016 with three suggestions.
He said the banks needed greater IT expertise at main board and subsidiary board level, as well as much greater resources put towards modernising, managing and securing banks’ IT infrastructures, and legal, regulatory, structural and cultural changes to the way banks manage their cyber security risks.
Since that letter, Tesco Bank was attacked in November 2016, with Tyrie calling it “the latest in a long list of failures and breaches of banking IT systems, exposing many thousands of customers to uncertainty and disruption.”