In our previous post in the ‘Global Regulatory Frameworks Compared’ series, we looked at the UK’s financial regulatory framework – CBEST. The CBEST framework which was brought in by BoE and the Financial Conduct Authority (FCA) in 2014 was the first step in a series of more proactive measures to combat the misalignment of cybersecurity standards across the board.
Four years later, TIBER-EU was published by ECB and the EU national central banks and approved by the Governing Council of the ECB. This was driven by the apparent need that other intelligence led assurance programmes have enhanced the resiliency of various financial systems. Consequently, multiple regulators around the world started to explore, creating their own frameworks.
Recognising the challenges of having multiple competing frameworks, the ECB decided to look at building a pan-European framework that could be leveraged across the whole of the Eurozone. Below, we’ll explore the TIBER- EU regulatory framework and analyse how it holds up against its global counterparts.
Europe’s Approach – TIBER-EU
Within the EU, a similar development took place initially in Holland from the Dutch National Bank (DNB) with the TIBER-NL scheme. This built further technical enhancements into the process and aligned the threat intelligence products more closely with the testing needs.
The TIBER-EU framework continues the refinements started by TIBER-NL and builds further on the fundamentals of the CBEST intelligence led penetration testing approach. There is significant alignment between TIBER-NL and TIBER-EU frameworks, the main differences equating to the national verses the European scope and oversight requirements. At this stage, TIBER-EU only references the need for certified and accredited service providers and does not define minimum requirements. Adoption by national and European authorities is gaining pace with Belgium, Demark, Germany, Ireland, Sweden, France and Italy using TIBER-EU to develop and implement their own domestically focused TIBER regimes.
Tiber-EU Regulatory Framework Objectives
The TIBER-EU framework is designed to be used not only across all the national boundaries within the EU but also within other sectors. On one level it provides a much wider breadth and increased flexibility, but it is designed to be taken by a large range of authorities and adapted to suit local needs.
The core objectives are shown below:
1. Enhance the cyber resilience of entities, and of the financial sector more generally;
2. Standardise and harmonise the way entities perform intelligence-led red team tests across the EU, while also allowing each jurisdiction a degree of flexibility to adapt the framework according to its specificities;
3. Provide guidance to authorities on how they might establish, implement and manage this form of testing at a national or European level;
4. Support cross-border, cross-jurisdictional intelligence-led red team testing for multinational entities;
5. Enable supervisory and/or oversight equivalence discussions where authorities seek to rely on each other’s assessments carried out using TIBER-EU, thereby reducing the regulatory burden on entities and fostering mutual recognition of tests across the EU; and
6. Create the protocol for cross-authority/cross-border collaboration, result sharing and analysis.
The 3 Phases of TIBER-EU Testing
Although the overall process outlined in TIBER-EU is shown as relatively linear, within each phase there are additional details outlining the actual non-linear process interactions. The framework treats the TI and RT interactions as a single collaborative testing phase, which runs in parallel. It is envisaged that the overall process will take between twenty-three and twenty-seven weeks without TI/RT service provider procurement.
The overall process is shown below:
For a full breakdown of the above phases, download our ‘Global Regulatory Frameworks Compared’ whitepaper and head over to page 16.
How does TIBER-EU compare to CBEST?
The table below provides an overview of the main characteristics of the four frameworks driven by regulators (CBEST, TIBER-EU and iCAST) and the red teaming approach put forward by ABS in Singapore. For the purpose of this post, we are focusing on CBEST and TIBER-EU.
What is the current status of the TIBER-EU Framework?
Current Status: Repeatable (Evolving) – The framework has been released and numerous countries are now using their own versions for testing.
1. Acknowledges that engagement of service providers will be less controlled and not fully formed;
2. More far reaching objectives and scope outside of just financial services;
3. No clear guidance on use of certification to ensure competence of the parties involved;
4. The white team effectively share the management responsibility with the TIBER cyber team;
5. Advocates the use of generic sector base threat intelligence analysis to form the bases of targeted reports to improve effectiveness;
6. Clearer indication of the stakeholders, which is necessary given the increased framework flexibility;
7. Better details defining the white team, but could go further to address the level of skill and expertise of the entity;
8. Allows and seeks to generate much more collaboration between both TI/RT providers and the authorities testing cross border entities;
9. Less prescriptive and more scalable, which may lead to increased risks because of an iterative and flexible testing approach.
How should you respond to TIBER-EU Requirements?
Ensure you understand and align your organisation with the latest thinking, approach and maturity to cyber resiliency. CBEST and TIBER-EU are leading the world in a robust assessment approach to cyber events.
No matter how much money has been spent, or how complex an organisation considers its cyber resilience and strategy to be, a threat led assessment will always validate and provide the reality on the ground about its effectiveness. Penetration testing has failed at this, or to be fair, penetration testing was never designed for this purpose.
You should consider adopting a threat led assurance approach as a pillar within your own cyber security strategy regardless of any regulatory pressure.
How can Nettitude help?
Nettitude is fully experienced and seasoned to guide you on your TIBER-EU cybersecurity journey, catering for the scale and complexity of a multi stakeholder testing engagement, delivering a fully collaborative, risk managed engagement where there is cross border acceptance of testing results.
We firmly believe that one of the key outcomes from a TIBER engagement is to enhance an organisation’s ability to detect and respond to sophisticated adversaries. As a consequence, a purple teaming initiative is conducted as a final stage in the engagement, this facilitates prescriptive guidance on how to enhance detection and responsive capabilities.
Ultimately, Nettitude will help you test your security posture and operating model, provide insight and clarity around your ability to reliably prevent attacks and also detect and implement a response. By working with Nettitude, your TIBER-EU test will provide you with this insight and unparalleled levels of value to all of the stakeholders involved – answering the question ‘how vulnerable are we?’.
For more information on TIBER-EU Penetration Testing, get in touch with your local Nettitude team.
Previously In the blog Series:
Next up in the blog seriesEdition No.2 - A comparison of global regulatory frameworks – TIBER-EU
Edition No.3 - A comparison of global regulatory frameworks – iCAST
Edition No.4 - A comparison of global regulatory frameworks – AASE
Edition No.5 - A comparison of global regulatory frameworks – a roundup of CBEST, TIBER-EU, iCAST and AASE.