IT has become deeply ingrained into every aspect of peoples’ lives; it has improved the interconnectedness of financial systems, but has also introduced new risks, posing the question: what if something goes wrong? The threat of cyber attack has never been greater for central banks, which stand to lose more than just money – their reputations are on the line.
As a result, regulators worldwide have been forced to get ahead of the curve, something that does not always come naturally to cautious central bankers. In the eurozone, the bloc’s key central bank has taken an innovative approach to ensure regulated firms’ systems are impenetrable to cyber attacks.
In 2018, the European Central Bank (ECB) launched The European framework for threat intelligence-based ethical red teaming (Tiber-EU). It is the first cross-border, multi-jurisdictional, multi-regulator initiative, and has raised the standard of cyber security testing across Europe. Unlike some other initiatives that have been introduced – including the Bank of England’s well-regarded CBest – this framework can be adopted by any country.
Since its publication, Tiber-EU has been adopted by firms in eight European countries, including the Netherlands and Germany. Others in countries outside the EU, including Canada and Australia, are also looking to adopt the framework.
According to the ECB, the Tiber-EU test is “an advanced simulated cyber test on an institution, which is informed by threat intelligence and replicates the tactics, techniques and procedures of real-life attackers”. It can be used on any type of institution and sector. The framework is unique in that its tests are performed on global banks and financial market infrastructures, involving many regulators on a cross-border basis.
For the exercise to run, the Tiber-EU test has to be adopted by the country’s central bank either as a supervisory, financial stability or catalyst tool. Once adopted, financial institutions deemed core national infrastructure will be approached to conduct the test. The institution works with the Tiber team from the national authority to determine the scope of the test, after which it procures a threat intelligence and red team provider. At the end of the test, a stakeholder meeting is held to discuss the test’s findings and any remediation plans. To help financial firms conduct the exercise, the ECB has also published Tiber-EU – Services procurement guidelines and Tiber-EU white team guidelines.
Tests performed across Europe have already led to changes being made. Financial infrastructures have improved protection, detection and response capabilities.
Financial firms are ultimately responsible for “locking their doors and windows”, but the ECB has taken a proactive response to ensure the stability of the European financial system. This growing threat has transformed the financial world in recent years, and the ECB has stepped up to the plate, collaborating and innovating to ensure awareness and protection against cyber risks.