Cyber Security Practitioner
Back to Contents

Volume: 4 Issue: 5
(May 2018)

ecb publishes cyber attack test framework european central bank (‘ecb published european framework testing financial sector resilience cyber attacks

Europe UK

Share This Page

ECB publishes cyber attack test framework

The European Central Bank (‘ECB’) published its European framework for testing financial sector resilience to cyber attacks (‘Framework’) on 2 May 2018, with the aim of the ‘TIBER-EU’ framework being to assist financial market entities in gaining insight about their protection, detection and response capabilities, in order to help them combat cyber attacks.

TIBER-EU takes the form of an intelligence-led ‘red team’ test conducted by third party threat intelligence providers and red teams, which mimic the tactics, techniques and procedures of real cyber threat actors, enabling entities to assess their defences and response capabilities in a harmonised, EU-wide capacity, and facilitating supervisory discussions that rely on each entity’s assessments, with the objective of reducing regulatory burden and fostering mutual recognition of tests across the EU.

There are four stages that relevant entities should undertake in the TIBER-EU process, with the first being optional and the additional three being mandatory. Broadly, the first involves identifying the relevant high-end threat actors for the sector; in the second the scope of the test is determined; in the third the threat intelligence provider and the red team set out the scenarios for the test, and execute it; and finally the red team drafts a report with details of the approach and findings, where necessary including advice on improvements. The entity then agrees a ‘Remediation Plan,’ sharing the key findings with relevant authorities and gaining their approval to close the test once the Plan is agreed.

The ECB states that TIBER-EU is designed to be adopted by relevant authorities in any jurisdiction on a voluntary basis, and its objective to facilitate testing for entities that are active in more than one jurisdiction and that fall within the regulatory remit of several authorities is unique. Participation in the TIBER-EU scheme may be mandatory or voluntary, based on the discretion of the relevant national or European authorities. “I think the Framework will see usage; the question will be how rapidly it is adopted,” said Andrew Moir, Partner at Herbert Smith Freehills. “Cyber security is increasingly a top priority for regulators, and if the regulators like the NCSC in the UK build TIBER-EU into their guidance (which would seem likely), adoption by regulated firms would then follow.”

The ECB states that authorities will only recognise a TIBER-EU test if it is conducted by independent third party providers, as external testers provide a fresh and independent perspective, whereas this may not be feasible with internal teams that have grown accustomed to the internal systems, people and processes. “As a general rule, financial services firms tend to have higher levels of cyber security than other sectors, due to the existing regulatory and governance frameworks with which they need to comply,” adds Moir. “While red-teaming conducted under TIBER-EU will no doubt expose vulnerabilities, I would hope that it won’t expose systemic or significant failures across the sector.”

At the time of publication, there has not been a specific timeframe indicated as to when TIBER-EU will be made available to the relevant financial entities.

Search Publication Archives

Our publication archives contain all of our articles.
Can’t find what you are looking for?
Try an Advanced Search

Log in to cyber security practitioner
Subscribe to cyber security practitioner
Register for a Free Trial to cyber security practitioner
cyber security practitioner Pricing

Social Media

Follow cyber security practitioner on TwitterView cyber security practitioner LinkedIn Profilecyber security practitioner RSS Feed