Andrew Gracie, the Bank of England's executive director for resolution who is also responsible for the operational resilience of the financial sector, including cyber risk, recently told a meeting that compulsory cyber-security testing was on the way for "the bigger firms" in financial services.

The director was addressing a meeting of the BoE's court of directors, the minutes of which have just been published. The other directors were asking him about CBEST, a Bank of England programme that tests cyber-defences at banks. CBEST became operational last year and, by all accounts, works well.

According to the minutes, Gracie said that that voluntary participation in such tests "was the formal position, but the supervisors were making participation a clear expectation and in practice it was becoming close to mandatory for the bigger firms."

When the directors asked how the Bank was ensuring that bank chairmen and CEOs were taking cyber risk seriously and taking trouble to understand the nature and scale of the threat to their businesses, Gracie said "that would be (and had been) part of the supervisory discussions."