BoE to be sure banks recover quickly of computer troubles

LONDON (Reuters) – Britain's major banks have to meet targets for recuperating from cyber attacks together with other disruptions to key services, a senior Bank of England official said on Wednesday.

Lyndon Nelson, deputy leader in the BoE's Prudential (LON:PRU) Regulation Authority arm, said banks must be resilient to cyber attacks, or IT disruptions like those at British bank TSB (MC:SABE), where customers were not able access their accounts due to computer problems.

He said the BoE's Financial Policy Committee had been considering its "tolerance for disruptions" to key functions while in the finance sector.

"Together with the job, it is likely that this FPC sets a nominal amount a higher level service provision it expects for any delivery of key economic functions in the case of a serious but plausible operational disruption," Nelson told opertation.

The BoE will post a discussion paper on operational resilience.

"I expect this being a substantial body of training, therefore it is likely that we’ll … look at some key economic functions and key providers," Nelson added.

He asserted that "tolerances" as it outages would make use of a blend of benchmarks, like time, amount of business, and business.

Nelson said financial services companies were often inside their most vulnerable when embarking on change.

"They typically discover too late that weaknesses for their resilience can jeopardize the achievements of a leading project even if those involved believe they’ve conducted robust testing," he stated.

TSB, owned since 2019 by Spanish bank Sabadell, found out that 1000s of customers were locked out of their accounts from botched migration of their personal computers. A few of its customers' accounts were hit by fraud.

"It’s not surprising … that management and boards of firms are actually pushing operational resilience ever higher with their agenda," Nelson said.

He said firms would need to test their tolerances and prove their supervisors that they had concrete measures constantly in place to supply resilient services.

"And firms must be qualified to cure an operational incident. This requires viable, tested contingency plans to the resumption of critical functions."