European Union: Revisiting The ECB's 2018 Framework On Testing Cyber-Resilience And Combatting Digital Financial Crime

The increasing sophistication and scope of cyberattacks on financial services firms but also against central banks and financial services regulators has brought the issue of cyber-resilience into the focus of regulators and financial stability policymakers – including the EU's proposal for a new regulation for a digital operational resilience act (DORA) which is expected to take operational effect from 2024¹. In 2018, the EU established a standard framework for cyber-resilience testing that addresses a wide range of firms and their operational processes and the European Central Bank (ECB) published its framework for Threat Intelligence-based Ethical Red Teaming (TIBER-EU)² on 2 May 2018. Both the EU and the ECB see action on financial services firms improving their cyber-resilience as crucial. The ECB wants to want to avoid a situation where a cyber incident affecting financial infrastructures could evolve into a systemic financial crisis. Assessing whether or not this will happen hinges on identifying whether a cyber incident will escalate from the operational level to the financial level, and ultimately start damaging confidence.

The ECB's new framework is voluntary and mandatory at the same time. The overall supervisory policy outcome is to improve the capabilities of supervised financial services firms but also supervisors in dealing with cyber-threats from real-life actors (regardless of provenance) and their impact on financial services firms in general but equally in respect of the "critical economic functions" the perform and what that means in terms of their impact on the wider market. For firms covered by these EU rules, this means that they must, among other things, ensure that they have suitable service providers who must meet certain standards to be certified to perform a "TIBER-EU" test.

This Client Alert assesses the ECB's 2018 publication of the TIBER-EU framework (including the White Team Guide) against the backdrop in 2021 of an increasing shift by financial services firms to meet customers' demands for digitisation, online services, mobile applications as well as a sustained move amongst firms but their counterparts and clients towards remote and location-independent working. While finance may be changing, so too are the range of threats to operational and equally cyber-resilience. Rapidly evolving threat actors that are constantly adapting their tactics, techniques and procedures (TTPs) to remain ahead of financial services firms' defences.³

Introducing TIBER-EU

TIBER-EU makes partial use of military terminology for naming various newly introduced terms. "Red-teaming" takes its name from military antecedents and refers to the process of testing vulnerabilities along with the readiness and resilience of a test subject and the capabilities and effectiveness of its response force i.e., the Blue Team. Red Team actions are unknown and masked to the Blue Team and only a select group, i.e., the White Team⁴, have access to details of the test and the "flags" i.e., objectives that the Red Team has to "capture" and using TTPs, dynamically, to achieve that goal.

The TIBER-EU framework marked the ECB's first foray into the area of cyber resilience and defining what constitutes best practice along with an "Annex" which sets out requirements that are mandatory (most are) along with those those that are optional. The ECB is acting here not only in its role as a central bank but more importantly in its financial market infrastructure and financial stability oversight capacity. Equally, while TIBER-EU follows the efforts of the ECB, acting at the head of the Banking Union's Single Supervisory Mechanism (SSM), it goes much further than the SSM's supervisory priorities and actions on cyber-resilience to date. In particular, the CPMI IOSCO Guidance on Cyber-Resilience for Financial Market Infrastructures, which was "operationalised" by the ECB in its 2018 Cyber Resilience Oversight Expectations (CROE).⁵

The TIBER-EU framework also has an important role in the on-going supervision of key financial market infrastructure providers, given the framework's overriding emphasis on "critical functions" - which firms will want to distinguish with a view to the official definition used by the framework: "... the people, processes and technologies required by the entity to deliver a core service which, if disrupted, could have a detrimental impact on financial stability, the entity's safety and soundness, the entity's customer base or the entity's market conduct."

The ECB's publication also describes itself as the roadmap for how this framework "... will be applied across the EU" and not just the Banking Union. Firms should note that these ECB measures are supplemented by specific EU-wide measures, including those advanced as part of the EU's FinTech Action Plan along with best practice expectations set by the European Supervisory Authorities (EBA, ESMA, EIOPA) as well as national level authorities in several EU Member States.

DORA together with TIBER-EU provides a unique opportunity to address the current fragmentation in financial legislation and supervisory approaches in the field of digital operational resilience, including cyber resilience.

The extent of TIBER-EU's coverage

The focus of TIBER-EU is to create a common framework for a controlled environment in which red-teaming can test the resilience of entities using the tactics, techniques and procedures (the TTP as TIBEREU calls it) employed by actual threats. This should also enable firms to assess how their people, processes and technologies are able to protect against, detect and respond to threats and attacks.

The advantage of TIBER EU is that it is jurisdiction-independent and flexible. This is mainly due to the fact that TIBER EU is based on implementation guidelines. This makes it possible for different jurisdictions to make appropriate adaptations. It also simplifies cross-jurisdictional intelligence-led testing and cooperation, allowing flexibility for users (both market participants and stakeholders) and embedding and endorsing the use of equivalence decisions so that one supervisor can rely on the assessment of another and thus foster mutual recognition and sharing of results. TIBER-EU is addressed to stakeholders and policymakers shaping supervisory responses to improve cyberresilience inasmuch as market participants that may be in-scope of "TIBEREU testing".

As with a range of other ECB rulemaking TIBER-EU is designed to be "guidance" adopted on a voluntary basis (with mandatory parts as and when the guidance is adopted) and from a variety of perspectives by supervisory authorities, whether as a tool for oversight and/or supervision or a catalyst for improvement. This soft law approach has a number of benefits, not least politically in getting support from ECB-internal stakeholders but also those authorities in the Eurosystem in terms of how these new measures impact existing mandates of EU and national level authorities.

Who is in-scope?

TIBER-EU tests also apply to a much a wider range of financial market participants that the ECB is interested in rather than just those that are supervised by it in the SSM on a or indirect basis. Paragraph 2.1 of the TIBER-EU framework states that "entities" include:

• Payment systems
• Central securities depositories
• Central counterparty clearing houses
• Trade repositories
• Credit rating agencies
• "Stock exchanges" (note the non-MiFIR/MiFID II use of terms and exclusion of IFR/IFD investment firms)
• "Securities settlement platforms" (note the non-MiFIR/MiFID II use of terms)
• "Banks" (note the non-CRR II/CRD V use of terms)
• Insurance companies
• Asset management companies – thus both AIFMs and UCITS ManCos
• "any other service providers deemed critical for the functioning of the financial sector"

Such a broad scope makes sense because the framework itself is also broad and, in addition, there are various forums that are thematically linked to the framework, such as the Euro Cyber Resilience Board for Pan-European Financial Infrastructures (ECRB). It is however conceivable that TIBER-EU might need to be amended to broaden its scope to a range of firm types that are within SSM supervision as well as for TIBER-EU to support the supervisory outcomes set in DORA.

Click here to continue reading . . .

Footnotes

1. DORA incorporates the lessons that have been learned from the Eurosystem's cyber resilience strategy for financial market infrastructures. It covers – implicitly or explicitly – the Eurosystem's cyber resilience oversight expectations, the European programme to test and improve the resilience of the financial sector against sophisticated cyber-attacks (TIBER-EU), and the Cyber Information and Intelligence Sharing Initiative created by the ECRB (CIISI-EU).

2. Available here

3. Financial services firms may also want to take note of the annual guidance and recommendations published in the context of Europol's Internet Organised Crime Threat Assessment (IOCTA). IOCTA is Europol's flagship report providing a law enforcement focused assessment of evolving threats and key developments in the area of cybercrime. IOCTA should be available here from December 2021.

4. "TIBER-EU White Team, Guidance" available here.

5. Available here with details of international adoption and recognition available here.

Originally published September 2021

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.