Quick Take – ECB leads way on cyber resilience
High-profile cyber-attacks with unprecedented sophistication and depth of impact have put cyber-resilience at the heart of supervisory priorities but also financial stability. The ECB-led single framework for testing cyber-resilience applies to a breadth of firms and will impact processes as well as policies.
This new voluntary framework aims to improve the capabilities of supervised firms and supervisors in dealing with cyber-threats from real-life actors and their impact on firms in general but equally respective firm-specific “critical functions” and the impact on the wider market. Yet all of this comes at a cost. In-scope firms, may need to take preparatory steps, including securing appropriate service providers as these will have to be assessed against specific standards and will have to be certified as being able to conduct a TIBER-EU test.
“Crossing the Rubicon” has become a term used to describe a fundamental change of affairs. Whilst the European Central Bank (ECB) has not cast the die descended into mainland Italy as Caesar’s forces did when they marched on Rome in 49 BC, the ECB, which has, like a good acronym, crossed another Italian and Roman river with its May 2, 20181 publication of a framework for “Threat Intelligence-based Ethical Red Teaming” (TIBER-EU).2 “Red-teaming” takes its name from military antecedents and refers to the process of testing vulnerabilities along with the readiness and resilience of a test subject and the capabilities and effectiveness of its response force i.e., the Blue Team. Red Team actions are unknown and masked to the Blue Team and only a select group, i.e. the White Team, have access to details of the test and the “flags” i.e., objectives that the Red Team is to “capture.”
This publication marks the ECB’s first real foray into the depths of defining best practice in cyber-resilience.3 Importantly, the ECB is acting in its central bank and financial market infrastructure/financial stability capacity in advancing this priority at what is a watershed moment. This matters as, even if TIBER-EU follows in spirit of the efforts of the ECB acting in the lead of the Single Supervisory Mechanism (SSM) within the Eurozone’s Banking Union, it goes much further than the SSM’s supervisory priorities in this space to date. It also describes itself as the roadmap for how this framework “…will be applied across the EU.” and not just the Banking Union.
The TIBER-EU framework, adoption of which by authorities and jurisdictions is voluntary, thus is very much being “offered-up” to the market and various supervisory stakeholders. Whilst the ECB’s spearheading of the TIBER-EU framework is welcome in its efforts, a number of parallels to the voluntary submission to ancient Rome, and its benefits, may be apt. The Annex to the Framework sets out which requirements are mandatory (most are) and which are optional.
This Client Alert assesses TIBER-EU’s approach, the expectations it requires market participants to meet, how these compare to other ECB activities in this area and some next steps that firms will want to consider in light of its changes as well as those supervisory priorities of the SSM. The requirements set in TIBER-EU apply to the entirety of the EU even if in practice it will be targeted to the Eurozone. There are a number of concurrent stakeholders that are also influencing the EU/Eurozone framework of what cyber-resilience and best practice means and what compliance with expectations ought to ideally look like. Consequently, firms are nevertheless reminded that these Eurozone-level driven measures are supplemented by specific EU-wide measures, including the FinTech Action Plan, and best practice expectations set by the European Supervisory Authorities (EBA, ESMA, EIOPA) as well as national level authorities in a number of key Member States.4 Some of those stakeholders and their own rules/expectations may have already implemented large parts on the CPMI-IOSCO Guidance on Cyber-Resilience for Financial Market Infrastructures which was “operationalized” by the ECB in the Cyber Resilience Oversight Expectations (CROE). TIBER-EU goes much further than that.
We also anticipate that the TIBER-EU framework will have an important interplay in the on-going supervision of key financial market infrastructure providers, given the framework’s overriding emphasis on “critical functions” – which firms will want to delineate with a view to the official definition used by the framework: “… the people, processes and technologies required by the entity to deliver a core service which, if disrupted, could have a detrimental impact on financial stability, the entity’s safety and soundness, the entity’s customer base or the entity’s market conduct.”
We furthermore consider that this new framework will increasingly be used to police threats and resilience levels to those entities that the ECB-SSM has, within the Banking Union defined as FinTech Credit Institutions and subjugated to additional licensing requirements – please see our standalone coverage on this available here.5 In more general terms, and as a pressing to do for affected financial services firms’ governance as well as IT functions, we anticipate that the trend of having at least one board member nominated as having ownership and expertise on cyber-resilience matters is likely to grow as global and EU-level initiatives all flag this theme. This is in addition to regulatory requirements impacting various firms, notably financial market infrastructure providers to maintain a dedicated “Chief Information Security Officer” (CISO). It remains to be seen whether TIBER-EU will undertake its own “crisis communication exercise,” codenamed “TITUS”6 as done by the ECB in November 2015 and a report dated July 2016 in the lead up to the creation of CROE.
The extent of TIBER-EU’s coverage
The core aim of TIBER-EU is to provide a common framework for a controlled environment in which red-teaming can test the resilience of entities using the tactics, techniques and procedures (the TTP as TIBER-EU calls it) employed by actual threats. In summary, TIBER-EU aims to create a cyber-arena where the simulated effects of “barbarians at the gate” can test how an onslaught affects a relevant firm’s resilience in overall terms, as well as those of its critical functions but equally the performance of its underlying systems. This also aims to allow firms to also evaluate how its people, processes and technology are able to protect, detect and respond to threats and attack.
Whilst TIBER-EU, nor other (current) analogous measures being advanced by other EU supervisory policymakers, may not be as integrated as a well formed legion, TIBER-EU’s core objectives are “jurisdiction agnostic” and embrace flexibility, not least due to the concept of the Implementation Guides. That helps in making them adaptable to jurisdictions but also in facilitating cross-jurisdictional intelligence-led testing and cooperation, allowing flexibility for users (both market participants and stakeholders) and embedding and endorsing the use of equivalence decisions so that one supervisor can rely on the assessment of another and thus foster mutual recognition and sharing of results. These approaches cement TIBER-EU’s value proposition for supervisors and may also yield benefits for certain market participants. TIBER-EU’s 58 pages are addressed to stakeholders and policymakers shaping supervisory responses to improve cyber-resilience inasmuch as market participants that may be in-scope of “TIBER-EU testing”.
As with a range of other ECB rulemaking, whether as central bank or in the SSM, TIBER-EU is designed to be “guidance,” adopted on a voluntary basis and from a variety of perspectives by supervisory authorities, whether as a tool for oversight and/or supervision or a catalyst for improvement. This soft law approach has a number of benefits, not least politically in getting support from ECB-internal stakeholders but also those authorities in the Eurosystem in terms of how these new measures impact existing mandates of EU and national level authorities.
In addition to the observations of how these centrally set supervisory expectations qua rules (and leaving aside the point that they come from the central bank as opposed to the supervisory corner of the ECB), TIBER-EU offers a common toolkit but invites relevant authorities to exercise discretion as to which type of entities might be selected and when they are requested to submit to TIBER-EU testing. It is conceivable that some of those invitations may be more forceful than others.
Who is in-scope?
TIBER-EU tests also apply to a much a wider range of financial market participants that the ECB is interested in rather than just those that are supervised by it in the SSM on a direct (ca. 120 entities representing 80 percent plus of Eurozone AUM) or indirect (ca. 6,000+ legal entities) basis. Paragraph 2.1 of the TIBER-EU framework states that “entities” include:
Central securities depositories
Central counterparty clearing houses
Credit rating agencies
“Stock exchanges” – NB the non-MiFID II use of the terminology
“Securities settlement platforms” – NB the non- MIFID II use of the terminology
“Banks” – NB note the non-CRD IV/CRR use of the terminology
Asset management companies - thus both AIFMs and UCITS ManCos
“any other service providers deemed critical for the functioning of the financial sector”
Consequently, the scope of coverage is quite vast, and that makes sense given the framework and also separately mandates of linked forums, including that of the Euro Cyber Resilience Board for pan-European Financial Infrastructures (ECRB).
Testing of relevant firms is conducted by one or more relevant authorities. In respect of cross-border firms, TIBER-EU’s core objectives of cross-jurisdictional cooperation means, similar to how supervisory colleges already operate, that such test are contemplated as being conducted either:
on a cross-authority collaborative testing basis “directed” by one of the relevant authorities (similar to home – host state passporting, and/or
on a basis of a test “managed” by one of the relevant authorities (preferably the “lead” authority)
The above options are both designed to be mutually recognized and “…to provide assurance to relevant authorities in other jurisdictions, provided the core requirements of the TIBER-EU Framework have been met.”
Crucially, the TIBER-EU framework is unequivocally clear that it will only recognise a TIBER-EU test if:
It is conducted by independent third-party providers (external threat intelligence (TI) and red team providers (RT); and
It involves all stakeholders i.e., the “testing entity, which is responsible for managing the end-to-end test and ensuring that all risk management are in place to facilitate a controlled test”, the TI and RT providers who conduct the test, the authorities that oversee the test and “…ensure they are conducted in the right spirit and in accordance with the TIBER-EU Framework.” – NB it is not fully clear from the initial drafting whether the “testing entity” was meant to mean the test subject or a different entity.
The rationale for requiring independence of external providers is that they:
“…provide a fresh and independent perspective, which may not always be feasible with internal teams that have grown accustomed to the internal systems, people and processes. Furthermore, external providers may have more resources and up-to-date skills to deploy, which would represent additional benefits for the entity.”
Whilst this may be sensible and conceptually follows how external audits operate, it introduces additional costs for firms. It also will introduce a need for a number of firms, irrespective of them having been formally invited/ordered to participate in a test, to take preparatory measures. This is important as firms will want to be in the driving seat on costs, quality, standards and response time of RT but also TI providers if they are required to participate in a test. As the TIBER-EU framework also introduces reference to a forthcoming “TIBER-EU Services Procurement Guidelines”7 in-scope firms will want to ensure they have sufficient ability to procure providers and are able to ensure that these meet the standards set by the ECB, which also require that “…the providers are accredited and certified by a recognised body as being able to conduct a TIBER-EU test.” The new framework does acknowledge that sufficient due diligence by the test subject of TI/RT providers will be an appropriate stop gap ahead of TI/RT accreditation and certification processes becoming more common place in specific and/or across EU jurisdictions. Whilst the framework makes no explicit mention of it, there are a number of implied references that a test subject should contract with EU-based operations of TI/RT providers.
Three phases, no pass or fail but TTI Reports and remediation plans
The TIBER-EU framework does not operate on the basis of pass or fail but rather is supposed to provide insight into strengths and weaknesses in resilience. It is conceivable that test results however, even if formally submitted to the ECB in its central bank capacity, may flow into the supervisory dialogue with ECB-SSM supervised firms.
The TIBER-EU framework is built on a “mandatory three phase process for an end-to-end test.” This is comprised of:
preparation phases and formal test launch – including engagement, scoping and procurement activity of Tis and RT providers as well as the setting up and approval of test parameters by the test subject’s board (or presumably a similar governance function) as well as subsequent validation by the oversight/supervisory authority
testing phase: which includes TI and RT probing, the delivery of a formal “Targeted Threat Intelligence Report” (the TTI Report) detailing the test subject’s vulnerabilities, attack scenarios etc. and which will form the basis of the RT provider carrying out intelligence-led read teaming of “…specific critical live production systems, people and processes that underpin the entity’s critical functions.” In short, the TTI Report lays the roadmap to going to for the jugular and testing resilience against a range of “break the business scenarios”. A realistic definition of various processes relevant to and important for the breadth of the test subject’s critical functions will play an important part as part of this exercise
“closure” phase: which includes compiling a “Red Team Test Report” detailing what was tested, how along with finding and observations as well as roads for improvement and remediation. The Red Team Test Report is expected to be acted upon in “…close consultation with the supervisor and/or overseer”. A separate “Blue Team Report” as well as a joint team, i.e., “Purple Team Replay Workshop” plus 360-degree feedback, which aims to assist in working through the steps for improvement in, as the framework puts it: … “a “learning and evolving” principle that underlies the TIBER-EU framework.”
Red, white, blue – how I test you
What is important to recall is that these testing phases are designed to be conducted on the premise of confidentiality as well as ethical hacking. This means that the RT performs its testing without the knowledge of the test subject’s security or response capability (i.e. the Blue Team) and only a select circle of persons from the test subject (i.e. the White Team) will be permitted to know about the test.
Whilst this makes sense in ensuring a non-biased testing environment, compliance and governance functions will, in particular since the latter has a validation role in the steps above, be required to be collated on a list of those that “are in the know”. That list will have to be kept in a secure yet sufficiently manageable fashion, reflective of global locations of personnel and stakeholders and may need to be disclosed, as part of evidencing strength of testing itself, to competent supervisors. This is especially important as the relevant supervisor, and their respective “TIBER Cyber Team” (TCT), are able to invalidate the tests if there are concerns on how it is conducted in line with the spirit of the framework.
It is conceivable that the ECB and respective relevant authorities, will, possibly in the ECRB format, need to develop similar documented principles of who concretely does what and when in respective of firms to be tested and the test results as supervisory colleges do in the EU both in and outside of the Banking Union’s operations.
Interplay of TIBER-EU with other workstreams
TIBER-EU builds upon the mandate of the ECB (as central bank)-sponsored Euro Cyber Resilience Board for Financial Infrastructures (ECRB)8 that is responsible for the January 2018 Cyber Resilience Oversight Expectations (CROE)9 which TIBER-EU supplements. The ECRB operates on the basis of voluntary membership and aims, in relation to cyber-resilience, to identify strategic issues, work priorities, common positions, directions and statements, as well as responding to requests for advice from national and EU authorities, including Europol and separately the somewhat controversial European Union Agency for Network & Information Security (ENISA) that is responsible for wider cyber-security.
Moreover, the ECB will maintain a TIBER-EU Knowledge Centre (TKC), which is also responsible for keeping track which jurisdictions adopt TIBER-EU and also as a central gatekeeper of the framework and as interlocutor with the ECRB. The ECB-hosted TKC aims to coordinate collaboration among national and European TCTs.
It is not clear how this will translate into new or repurposed resources at national and EU level authorities but it marks a definitive and decisive tone especially as the ECB sets TIBER-EU as a central hub around which accompanying national (TIBER-XX) or other EU-wide (TIBER-EU-YY) “Implementation Guides” are intended to be built allowing flexibility but steered by a strong lead from the centralized TCT at the TKC but also in each jurisdiction adopting the framework.
Outlook and next steps
In terms of approach and institutional set-up much of what the TIBER-EU framework, even if being advanced by the ECB as a central bank, mirrors the existing pillars of the Banking Union – strong central technical and supervisory lead at the ECB level coupled with national level expertise. It will be interesting to see which national authorities are quick to embrace TIBER-EU and which are more hesitant.
The notion of the ECB-hosted TCK, which as a hub that coordinates multiple colleges of TCTs is also unsurprising but may translate into increased need for firms to be clear as to what is documented where and what is disclosable to whom. Equally, whilst the jurisdiction agnostic and flexible framework permits flexible adoption of the framework, which in the current version allows for relevant authorities to mandate “voluntary” testing and/or mandatory testing, may mean that firms have more disclosure channels to manage.
More importantly, the TIBER-EU framework currently, even if it does very much cater for cross-jurisdictional approaches, does not contain definitive rules that deal with disagreements where stakeholders disagree on whether a critical function is in fact critical. In simple terms this translates into a number of firms, in addition to adopting their own TIBER-EU policy, which may be disclosed to competent authorities, to also consider whether to set up appropriate internal training and links to RT and TI providers rather than having regulators impose conditions upon them.
In summary, TIBER-EU in its first version, is a defining contribution to improved cyber-resilience but one where a number of core elements remain to be worked out and will need to be published. Those that are caught by these new expectations, whether as supervised financial services providers or TI/RT providers will want to ensure they are able to be “test-ready” and in control of post-test and other on-going obligations. As this framework is being rolled out centrally from the ECB and supplemented by national authorities, affected entities will need to liaise with a vast array of supervisory as well as internal stakeholders to steer their compliance but also take control of their overall cyber-resilience priorities.
1. The TIBER-EU publication was also accompanied by a video on the ECB’s YouTube channel describing what it terms “ethical hacking”, which is available here: https://www.youtube.com/watch?v=9vLxlr0ExnM&feature=youtu.be.
2. See: https://www.ecb.europa.eu/pub/pdf/other/ecb.tiber_eu_framework.en.pdf
3. Even if it builds upon efforts of several national central banks – notably the Netherlands and its TIBER-NL framework – see: https://www.dnb.nl/binaries/TIBER-NL%20Guide%20Second%20Test%20Round%20final_tcm46-365448.pdf
4. Notably Germany, see our coverage on this available here: https://www.dentons.com/en/insights/alerts/2018/july/3/bafins-supervisory-requirements-for-it-in-financial-institutions
5. See our coverage from our Eurozone Hub available here: https://www.dentons.com/en/issues-and-opportunities/eurozone-hub/-/media/73a225386d0d4c1f91bf3ea003077b11.ashx
6. Note the ongoing Roman Empire theme here….
7. Which is expected possibly as early as August 2018.
8. See: https://www.ecb.europa.eu/press/key/date/2018/html/ecb.sp180309_1/ecb.sp180309_1_ECRB_mandate.pdf
9. See: https://www.ecb.europa.eu/paym/pdf/cons/cyberresilience/cyber_resilience_