Today the Prudential Regulation Authority (PRA) has announced that it will invite a number of firms to participate in a voluntary cyber stress test. The stress test, which was announced in March 2021, will focus on a severe data integrity incident as the disruption scenario and will test firms’ ability to meet the impact tolerance for payments in a severe but plausible scenariofootnote [1]. Impact tolerance is broadly defined as the maximum level of disruption that could be tolerated for a service provided by the finance system.
The Financial Policy Committee (FPC) first announced that it would introduce cyber stress testing in June 2018footnote [2]. This was followed by a successful pilot in 2019. In March 2021, the FPC set an impact tolerance for payments and agreed that the next cyber stress test would focus on a retail payment systemfootnote [3]. The FPC also confirmed that the 2022 test should target the most systemic firms contributing in the end-to-end payments chain, as in the event of disruption, their ability to resume services in a timely manner was particularly important for UK financial stability.
The Prudential Regulation Committee in addition agreed to invite a limited number of firms with a smaller presence in the retail payment system to take part in this cyber stress test. The objective of expanding coverage of the cyber test, suitably adjusted for scale, is intended to provide valuable insight about the role and preparedness of smaller banks as a sector, and any systemic implications that may arise.
The cyber stress test is a separate but complementary exercise to the PRA’s operational resilience policy. However, it is our expectation that firms will be able to draw on their own preparations for the operational resilience policy for the purpose of the cyber stress testfootnote [4].
The PRA will contact the firms selected for invitation, and they will receive more information about the test in due course.
Record of the Financial Policy Committee meeting held on 11 March 2021, paras 78-82.
Record of the Financial Policy Committee meeting held on 11 March 2021, paras 78-79.
Prudential Regulation Authority, Policy Statement 6/21: Operational resilience: Impact tolerances for important business services, March 2021.