European Union: ECB Releases Procurement Guidelines For Selecting Service Providers In Cyber-Resilience Testing

Last Updated: 14 September 2018
Article by Michael Huertas and Katja Michel

The European Central Bank (ECB)'s publication on May 2, 2018 of its framework for "Threat Intelligence-Based Ethical Red-Teaming" (TIBER-EU Framework), which is discussed in further detail in the first1 of this series of Client Alerts, marked a definitive step by the ECB, in this instance acting in its central banking as opposed to its Banking Union supervisory capacity,2 to lead the way on setting cyber-resilience standards.  

At the heart of this new "voluntary" framework, which aims to apply to in-scope authorities as well as financial services firms, including financial market infrastructure providers, are that TIBER-EU tests are intelligence based ethical hacking. In-scope entities are expected to embed a "comply or explain" approach to the TIBER-EU Framework. 

The TIBER-EU Framework only recognizes cyber-resilience tests that are carried out by service providers of Red Team Tests (RT) as well as Threat Intelligence (TI). These must be selected and retained in accordance with the "TIBER-EU Framework Services Procurement Guidelines" (the Procurement Guidelines), which was published without consultation in August 2018.  This Client Alert discusses the current version of the Procurement Guidelines' requirements and the ECB's expectations as they may supplement existing EU and national rules on selecting and retaining service providers.

Some of the contents may be familiar, especially for regulated firms that have a strong compliance program in place for regulated outsourcing and delegation arrangements but other requirements and expectations of the ECB may be quite technical and prescriptive. As with recent ECB rulemaking instruments or other guidelines that however set supervisory expectations and may read like rulebooks, the TIBER-EU Framework and the Procurement Guidelines use the verb "should" which in most cases means "shall"3 or "must".  In certain languages, "should", is read to imply a degree of optionality. At present, the TIBER-EU Framework nor the Procurement Guidelines refer to international work of say the Financial Stability Board, who on 2 July 2018 launched its own consultation on a "Cyber Lexicon"4 of ca. 50 core terms relevant to cyber-security and cyber-resilience.  

What do the Procurement Guidelines require?  

The Procurement Guidelines emphasize the need for in-scope entities, in particular, those that plan to apply the TIBER-EU Framework to their global operations, that they must observe all obligations applicable to them. The Procurement Guidelines are currently split into the following three parts:

  1. Stipulate requirements and standards that RT/TI providers must meet to deliver recognized TIBER-EU tests;
  2. Offer guiding principles and selection criteria that in-scope entities should observe, in addition to requirements in respective and applicable legal and regulatory requirements, when procuring services from prospective RT/TI providers; and
  3. Provide questions and checklists relevant for contractual arrangements that entities are free to apply in their due diligence and when formalizing the procurement process with RT/TI providers.

The role of the TI provider

Conducting effective red teaming and cyber-resilience risk assessments in a manner that meets the expectations set by the TIBER-EU Framework requires accurate threat intelligence. TI providers thus play an important role.  The Procurement Guidelines specifically state:

"Creating accurate and realistic threat intelligence is a complex activity. This means that the TI provider must have adequate knowledge of the threat actors, their motives and their TTPs [tactics, techniques and procedures], as well [as] an understanding of how the core elements of the financial system interact and operate. In addition, the TI provider must have a good insight into the targeted entity. It needs to know for example: what the target's critical functions are; how the target operates; who the crucial employees are and whether they are "usable" for the attack; and what the target's vulnerabilities are."

Comprehensive threat intelligence assists the RT provider with quality information allowing it to simulate a real life and realistic attack on the entity's live systems that underpin the "critical functions" and their cyber-resilience, which is the ethos of what the TIBER-EU Framework aims to test. The Procurement Guidelines set out that the TI provider meet the following qualitative requirements and, where possible, only accredited and certified TI providers should be chosen. 

The Procurement Guidelines clarify that the ECB expects in-scope entities to:

  1. Document the due diligence conducted prior to selecting a provider –preferably using the questions in the Annex
  2. Evidence how TI providers meet the following requirements in the table below
  3. Monitor and record how the TI provider performs against key performance indicators in service level agreements:
Who? Requirements to be fulfilled according to Procurement Guidelines
The TI provider(at the company level)
  • At least three references from previous assignments related to threat intelligence-led red team tests
  • Adequate indemnity insurance in place to cover activities that were not agreed upon in the engagement and service level arrangements and/or which stem from misconduct, negligence etc.
  • Evidence a robust understanding and application of information governance, security and risk management
  • Adhere to professional codes of conduct such as the Code of Conduct for Ethical Security Testers or the Open Source Intelligence and Research Association's - OSIRA Code of Conduct
The TI provider's Threat Intelligence Manager (the TIM) designated for the TIBER-EU test and responsible for its end to end management
  • The TIM leads and has oversight of the TI provider's activities for delivering a TIBER-EU test
  • The TIM must have sufficient experience in threat intelligence – the expectation is at least five years of experience in threat intelligence, of which at least three years are in producing threat intelligence in the financial services industry
  • The TI provider will provide:
    • a current CV of the TIM and at least three references in relation to the TIM's work on previous assignments and specifically red team testing
    • background checks on the TIM – which may be simplified and/or enhanced disclosure
  • The TIM must have appropriate recognized qualifications and certifications (as set out in Annex 1 to the Procurement Guidelines)
The TI provider's Threat Intelligence Team (the TIT)5 (all members other than TIM responsible for delivering the TIBER-EU test
  • The TIT must collectively evidence sufficient experience and each member must have at least two years of experience delivering threat intelligence services
  • The TI provider must provide a current CV for each team member as well as background checks
  • The relevant team composition should be multi-disciplinary and evidence a broad range of skills, including "OSINT, HUMINT and geopolitical knowledge." OSINT refers to open source intelligence gathering of information derived from public and/or predictive sources. HUMINT refers to "human intelligence" gathering of data. The Procurement Guidelines' "Recommended Questions" also refer to SIGINT i.e. signals intelligence capabilities
  • Ideally the team members are expected to have appropriate recognized qualifications and certifications for threat intelligence and professional experience in delivering threat intelligence for red team tests

The Procurement Guidelines are quite prescriptive in what characteristics the TI provider must comply with when compiling threat intelligence. It also requires that the threat intelligence report be delivered in a manner that complies with the EU's General Data Protection Regulation (GDPR).

The role of the RT provider

RT providers plan and execute a TIBER-EU test on the target's systems, services, processes, technologies and people that have been agreed as being in scope of the exercise. As the test builds on the report of the TI provider, it differs from conventional resilience testing in that it aims to mimic the tactics employed by a real-life attacker targeting an entities critical functions.

The Procurement Guidelines therefore expect that RT and TI providers demonstrate a willingness to work closely with one another in preparing the Red Team Test Plan as well as prior to and during the test phase itself and ultimately when delivering the Final Report.

As with the expectations set of the TI provider and standards to follow prior to and during the appointment, the Procurement Guidelines sets the following requirements that a RT provider must be able to fulfil: 

Who? Requirements to be fulfilled according to Procurement Guidelines
The RT provider
(at the company level)
  • At least five references from previous assignments related to intelligence-led red team tests
  • Adequate indemnity insurance in place to cover activities that were not agreed upon in the engagement and service level arrangements and/or which stem from misconduct, negligence etc.
  • Evidence a robust understanding and application of information governance, security and risk management
  • Adhere to professional codes of conduct such as the Code of Conduct for Ethical Security Testers or the Open Source Intelligence and Research Association's - OSIRA Code of Conduct
The RT provider's Red Team Test Manager (the RTTM) designated for the TIBER-EU test and responsible for its end to end management
  • The RTTM leads and has oversight of the TI provider's activities for delivering a TIBER-EU test
  • The RTTM must have sufficient experience in red team testing – the expectation is at least five years of experience in testing, of which at least three years are in leading red team tests in the financial services industry
  • The RT provider will provide:
    • A current CV of the RTTM and at least three references in relation to the RTTM's work on previous assignments and specifically red team testing
    • Background checks on the RTTM – which may be simplified and/or enhanced disclosure
  • The RTTM must have appropriate recognized qualifications and certifications (as set out in Annex 1 to the Procurement Guidelines)
The TI provider's Red Team (all members other than RTTM responsible for delivering the TIBER-EU test
  • The Red Team must collectively evidence sufficient experience, and each member must have at least two years of experience delivering red team testing
  • The RT provider must provide a current CV for each team member as well as background checks
  • The relevant team composition should be multi-disciplinary and evidence a broad combination of skills, including reconnaissance, threat intelligence, risk management, exploit development, vulnerability analysis, penetration testing, social engineering etc.
  • Ideally the team members are expected to have appropriate recognized qualifications and certifications

The Procurement Guidelines place an emphasis on TI providers but notably RT providers' multilingual capabilities as well as an expectation that they have a breadth of experience in financial services but also in other sectors. This aims to ensure that providers can borrow tactics and adapt these to TIBERU-EU tests. 

Language plays an important part in this, as simulated social engineering attacks, which attempt, by fraudulent means, to obtain sensitive information (log-ins, account details etc.), such as "phishing" need to use language in a manner that is plausible.

Recommended questions and checklists

The Annex to the Procurement Guidelines contain, in addition to a list of certifications and qualifications that relevant team members at RT/TI providers should evidence, recommended questions that in-scope entities can use when selecting providers. Specific requests, which may go beyond existing EU and national level requirements, are for the provider to supply its recruitment policy and process or for providers to also disclose details/results of independent audits of its information security system. 

The Annex also contains a checklist that essentially has heads of terms for the service level agreement to be put in place with the relevant RT/TI provider. The Checklist places a strong emphasis on detailed information security measures and screening of employees to be put in place, detailed measures on whom information can be shared with and when as well as incident response management, continuity of services and exit clauses as they relate to data destruction and more generally.

Outlook

The Procurement Guidelines are just one part of the TIBER-EU Framework. This is a framework, which is expected to evolve in depth and scope of application over time and do so in line with the growing importance of cyber-resilience testing for the ECB as supervisor, financial stability oversight actor and as central bank. Whilst the Procurement Guidelines may be quite prescriptive in parts, some of this may actually be quite welcome in setting goalposts and allowing clients and service providers to engage on more standardized terms.  

For in-scope entities, whether as existing or potential clients of RT/TI providers, much of the compliance challenge will likely be in ensuring that the selection and decision-making process when retaining providers meets the expectations set in the TIBER-EU Framework as a whole. Depending on the extent of measures in place, it may be prudent to diligence relevant existing providers anew so as to meet the expectations of the Procurement Guidelines formally. For RT/TI service providers the Procurement Guidelines present an opportunity to have a much more structured road map on compliance expectations and service level performance monitoring. Some providers may want to consider how to reflect how they meet the ECB's expectations and possibly also have a standardized Fact Sheet detailing key information and responding to the Questions and Checklists set in the Procurement Guidelines' Annex. 

Lastly, the ECB may over time become more vocal on where RT/TI providers corporate domicile are located or where the testing facilities are located. This could mean that more specific expectations are communicated beyond "just" the requirement to comply with GDPR or evidence sufficient multilingual capabilities—read proficiency in one or more languages of the EU.

If you would like to discuss any of the items mentioned above or how the TIBER-EU Framework and the ECB's cyber-resilience expectations may affect your business more generally, please contact our Eurozone Hub key contacts.

Footnotes

1 See our dedicated coverage from our Eurozone Hub: https://www.dentons.com/en/insights/articles/2018/july/17/central-bank-of-cyber

2 The ECB, in its Banking Union capacity, itself states that it monitors how Banking Union supervised institutions manage their IT risks. This includes cyber-security and thus cyber-resilience. This includes:

  • Continuous off-site supervision and risk assessments;
  • Thematic and horizontal reviews of focus areas (e.g. cyber security, IT outsourcing, data quality); and
  • Targeted on-site inspections (on IT risk areas in general, but also focused on IT security and cyber risk).

3 From where the verb derives its origin.

4 See: http://www.fsb.org/2018/07/cyber-lexicon-consultative-document/

5 For close followers of ECB rulemaking, both in central bank and supervisory capacity, the fact that the ECB does like a good acronym should come as no surprise.

Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Events from this Firm
15 Nov 2018, Seminar, London, UK

The FCA and other bodies have been active recently across a number of areas relevant to financial litigators, contentious regulatory lawyers and financial crime specialists.

15 Nov 2018, Conference, London, UK

Dentons Compliance Team cordially invites you to Dentons Compliance Day 2019 – our annual conference on compliance related issues.

15 Nov 2018, Business Breakfast, London, UK

The FCA and other bodies have been active recently across a number of areas relevant to financial litigators, contentious regulatory lawyers and financial crime specialists.

 
Some comments from our readers…
“The articles are extremely timely and highly applicable”
“I often find critical information not available elsewhere”
“As in-house counsel, Mondaq’s service is of great value”

Related Topics
 
Related Articles
 
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions