Lyndon Nelson has spoken about the steps PRA takes to counter cyber risk. He described how PRA has looked at operational resilience in the context of cyber risk by testing, capabilities and coordination. It has carried out significant testing on 40 large firms, using ethical hackers and threat intelligence – using intensive resource to see how firms’ locks could be breached. The programme evolves to address emerging threats.
Additionally, PRA is looking to develop a new type of regular cyber-stress test, which will focus on restoring functionality after an incident.
PRA also carries out many simulation exercises, based on severe but plausible scenarios, and is active in international work, as part of the G7 cyber experts group.
It will continue to look at risks, and has identified issues relating to poor “cyber hygiene” which need to be address, such as poor user account and password management, poor configuration of IT infrastructure and shortcomings in vulnerability management and information storage.
He finished by speaking of the future of the Escher Penrose Steps in rolling out the operational resilience policy.