Launch of STAR-FS brings greater resilience to financial services sector

We are delighted to have collaborated with the UK’s Bank of England (BoE), Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) on the latest framework for the financial sector, Simulated Targeted Attack & Response assessments for Financial Services (STAR-FS).

STAR-FS focuses on intelligence-led penetration tests (ILPT), providing financial institutions the opportunity to assess their cyber resilience using a consistent, high quality standard.

The assessment helps financial institutions better understand any vulnerabilities and improve their defences against potential attackers. By taking the appropriate remedial actions, they can both safeguard their businesses and infrastructure, and in turn protect the wider financial system.

CREST continues to champion and help drive forward the standards needed worldwide to meet the challenges and demands, not only within the financial sector, but across all industries potentially affected by cyber threats.

The launch of STAR-FS will bring even greater surety and stability to the financial sector, and as a leader within the global cyber security community, CREST will roll-out this vital assessment framework internationally.

The Bank of England, Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) have concurrently announced following:

We are pleased to announce the launch of a new threat-led penetration test assessment for the UK Finance Sector. STAR-FS is now part of the PRA and FCA supervisory toolkit, which also includes CBEST, to assess the cyber resilience of firms’ important business services. This assessment enables regulators and firms to better understand vulnerabilities and take remedial actions, thereby improving the resilience of individual firms and by extension, the wider financial system.

STAR-FS promotes a threat-led penetration testing approach that mimics the actions of cyber threat actors’ intent on compromising an organisation’s important business services and the technology assets and people supporting those services.

STAR-FS aims to provide:

an outcome-based assessment of financial institutions’ protection, detection and response technical capabilities against cyber-attacks;
an approach, conducted through a firm-led delivery model, that can identify cyber resilience vulnerabilities within systems, people and processes;
reduced regulatory and firm effort relative to other supervisory technical assessments such as CBEST;
levels of independent technical assurance beyond those ordinarily included in firms’ own penetration testing programmes; and
a testing approach accessible by a larger number of financial institutions to experience and learn from.

Here is a short list of STAR-FS unique features:

STAR-FS accredited threat intelligence and penetration test service providers are utilised to replicate real world attacks on operational systems.
STAR-FS allows for consistent formal reports to be used by firms to provide appropriate information to regulators of the level of technical cyber resilience.
STAR-FS can be self-initiated by firms as part of their own cyber programmes, as well as initiated by regulators as part of supervisory oversight, to inform assessments of protection, detection, and response capabilities and uncover vulnerabilities through testing.
Self-initiated STAR-FS assessments could be recognised as a supervisory assessment if regulators are notified of the STAR-FS, given the opportunity to input to the scope, and then receive the relevant requested outputs at the end of the assessment.

How to become accredited as a CREST STAR-FS provider:

To become CREST accredited to deliver STAR-FS assessments, please email to [email protected]. The accreditation requirements are:

Complete or have valid Accreditation against the relevant CREST STAR discipline (STAR ILPT or STAR Threat Intelligence (TI))
STAR-FS TI – CCTIM + 3 references from work within the financial services sector
STAR-FS ILPT – CCSAM & CCSAS with 2250 hours experience + 3 references from working within the financial services sector

The CREST UK STAR-FS Implementation Guide is available on the Bank of England website: https://www.bankofengland.co.uk/financial-stability/operational-resilience-of-the-financial-sector.