Bank of Eegland audio leak followed loss of key staff
The Bank of England restructured its security department and lost multiple senior employees in charge of protecting some of Britain's most critical financial infrastructure shortly before it suffered a major breach, the Observer can reveal.
After the central bank admitted that hedge funds had gained early access to its marketmoving press conferences via a backup audio feed, multiple former employees contacted the Observer to warn that the Bank was struggling with the departure of key staff responsible for protecting it against external threats.
The sources said at least 20 of the Bank's staff tasked with information security had left or been reassigned elsewhere within the bank within the past year, raising questions over the protection of the nation's payment systems and other critical infrastructure vital for the British financial system. The Observer was able to verify 13 of these departures using information from social media and other sources.
The revelations come at a sensitive time for the Bank as it prepares for the handover of power in March from Mark Carney, the outgoing governor, to Andrew Bailey, the current chief executive of the Financial Conduct Authority.
Threadneedle Street has also played a central role in efforts to improve the safety and integrity of the financial system since the 2008 banking collapse, including warning the industry to improve its cyber and information security operations. It is responsible for key parts of the nation's critical infrastructure, including the payments systems that carry every bank transfer made in Britain, the wages of millions of people, cheques, and payments between businesses of all sizes. On an average day in 2018, the Bank's real-time gross settlement system (RTGS) settled transactions worth £651bn.
According to the former employees, the Bank's chief information security officer and two deputies have left in the past year. Multiple former employees described the organisation as beset by budget cuts before Carney's departure, against a backdrop of concerns over cost efficiency. They said there were problems with staffing given the departures and low staff morale.
Much of the disquiet stemmed from a move to dismantle the Bank's "security and privacy" directorate, the people said. The team, part of the central services division, previously had oversight over cyber, personnel and physical security matters, as well as privacy. Staff and responsibilities were instead spread across other parts of the organisation.
It is understood that many of the people now sit under the Bank's technology, security and risk directorates, in a move designed to make the organisation safer. The Bank has about 70 cybersecurity professionals. A Bank of England spokeswoman said: "The Bank operates the highest standard of information security and is confident in our ability to recognise cyber threats and defend our systems appropriately. Earlier this year, the Bank completed a review of its central services target operating model and, as part of that, reinforced the arrangements for firstand second-line information security. This change was fully supported by the Bank's audit and risk committee."
The Bank admitted late on Wednesday night that it had suffered a security breach, with a provider of a backup audio feed of the governor's market-sensitive press conferences selling early access to unnamed investors without its knowledge. Those investors could have used the few seconds' advantage to profit.
It was alerted to the breach by the Times newspaper, conducted a rapid internal investigation and passed the matter to the FCA. The City watchdog has confirmed it is investigating the issue, and it is understood that Bailey will recuse himself from all discussions of the matter to avoid any suggestion of a conflict of interest.