Bank of England U-turns on Vulnerability Disclosure Rules
The UK’s financial regulators have scrapped plans to mandate that “critical third party” (CTP) organizations disclose new software vulnerabilities to them.
The decision was taken in response to feedback on a new set of policies, which are designed to enhance the operational resilience of the UK’s financial system and related CTPs.
A joint statement from the Bank of England, Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA) recognized that the mooted rules could have unwittingly invited extra cyber risk.
“Respondents were particularly concerned about potential requirements or expectations on CTPs to disclose unremedied vulnerabilities (in the cybersecurity sense) to the regulators and to the firms they provide systemic third-party services, as this could increase the risk of threat actors exploiting these vulnerabilities, which would go against the overall objective,” the statement noted.
“In response to this feedback, the regulators have […] removed any requirements and expectations on CTPs to disclose unremedied vulnerabilities (in the cybersecurity sense) to the regulators and to the firms they provide systemic third-party services to.”
The regulators also received expert industry feedback that their draft rules were poorly worded, specifically use of the term “vulnerability” in more than a cybersecurity context.
“Respondents explained that, in cybersecurity terminology, the term ‘vulnerability’ would be defined as ‘a weakness, susceptibility or flaw of an asset or control that can be exploited by one or more threats.’ However, in various parts of the regulators’ draft rules and draft supervisory statement, ‘vulnerability’ was used in a general, ordinary-language sense,” the statement read.
“In response to this feedback, the regulators have […] reviewed all uses of the term ‘vulnerability’ in their rules (where it is now only mentioned once) and, in particular, SS6/24 [and] replaced all instances where ‘vulnerability’ was used in its ordinary-language meaning with ‘areas of improvement.’”
The incident highlights the importance of regulators eliciting industry feedback before sweeping new rules are finalized, especially in technically complex fields like cybersecurity.
The Worst-Case Scenario
Sylvain Cortes, VP strategy at Hackuity, agreed with the regulators’ decision to revise their original policy.
“Transparency is key to collaborative efforts in combatting cybercrime, however publicising vulnerabilities too early could increase the risk of financial cyber-attacks by providing threat actors with a clear map to exploit weak points,” he argued.
“A coordinated disclosure process on the other hand allows third parties time to manage and patch vulnerabilities ahead of public disclosure. It only takes one exploited vulnerability, in one third party, to compromise the security of multiple financial services. From operational disruption to significant financial loss, the potential damage of disclosing vulnerabilities too early could ripple through the sector.”