The UK’s financial regulator has told banks to strengthen and test their defences against the threat of Russian-sponsored cyber attacks as the stand-off over the future of Ukraine deepens.
Large banks with operations in the UK have been warned over the heightened risks stemming from Russia’s build-up of more than 100,000 troops around Ukraine, according to two executives who received a so-called “dear CEO” letter from the Financial Conduct Authority.
Regulators noted that the financial sector could be a target for retaliatory cyber attacks if an invasion of Ukraine leads to sanctions on Russian companies or oligarchs with ties to Vladimir Putin, the recipients of the letter said.
In the event of an invasion, UK foreign secretary Liz Truss has vowed to impose tough sanctions as well as widen the scope of Russian assets that can be targeted in the UK, including the possible seizure of London properties owned by billionaires with ties to the Kremlin.
“We have all received multiple formal warnings about Ukraine . . . [but] firms should be doing it anyway and need not require regulator prompting,” one of the recipients of the letter said, adding that his bank had already conducted exercises to test responses to an attack.
An executive at a large international bank said they were on “high alert” about potential cyber issues.
Systemically important lenders in the UK have also been contacted by British security services, such as the National Cyber Security Centre, with a similar warning.
“As you’d expect, we’re contacting firms to highlight the National Cyber Security Centre’s statement that organisations should bolster their cyber security resilience,” the FCA said in a statement. It added that all companies it regulates should look at their cyber security.
Alongside diplomatic efforts to de-escalate tensions, western allies are drawing up tougher penalties than those imposed after Moscow’s invasion of Crimea in 2014, which were widely criticised as toothless.
The EU is also preparing its own set of sanctions and the US has warned Russia it would face “massive consequences”, with the country’s largest banks and trading in its sovereign debt among possible targets.
The European Central Bank has also been consulting with the banks it supervises about their preparations in case of an attack, but has so far stopped short of issuing a formal written warning, according to a person familiar with the matter.
The discussions are to also check their ability to identify an attack when it happens and to quickly restore any IT systems that are disrupted, the person added.
This includes working with their outsourced providers of IT and cloud systems — such as Amazon Web Services, Google Cloud and Microsoft Azure — to ensure they can get the bank’s digital operations back up and running quickly, potentially by switching to a back-up system.
The ECB declined to comment.
Financial regulators and banks have already discussed the implementation and effects of possible sanctions against Russia. The Financial Times previously reported that the ECB requested details of banks’ own assessments and contingency plans, with a particular focus on those with large direct exposures such as France’s Société Générale, Austria’s Raiffeisen Bank and Italy’s UniCredit.
Several Ukrainian companies, websites and institutions have already been hacked and disrupted as tensions on the border escalate.
In the US, the New York Department of Financial Services late last month alerted financial services companies to the possibility of retaliatory cyber attacks if sanctions against Russia are imposed, Reuters reported.