The European Central Bank (ECB)'s publication on May 2, 2018 of its framework for "Threat Intelligence-Based Ethical Red-Teaming" (TIBER-EU Framework), which is discussed in further detail in the first1 of this series of Client Alerts, marked a definitive step by the ECB, in this instance acting in its central banking as opposed to its Banking Union supervisory capacity,2 to lead the way on setting cyber-resilience standards.  

At the heart of this new "voluntary" framework, which aims to apply to in-scope authorities as well as financial services firms, including financial market infrastructure providers, are that TIBER-EU tests are intelligence based ethical hacking. In-scope entities are expected to embed a "comply or explain" approach to the TIBER-EU Framework. 

The TIBER-EU Framework only recognizes cyber-resilience tests that are carried out by service providers of Red Team Tests (RT) as well as Threat Intelligence (TI). These must be selected and retained in accordance with the "TIBER-EU Framework Services Procurement Guidelines" (the Procurement Guidelines), which was published without consultation in August 2018.  This Client Alert discusses the current version of the Procurement Guidelines' requirements and the ECB's expectations as they may supplement existing EU and national rules on selecting and retaining service providers.

Some of the contents may be familiar, especially for regulated firms that have a strong compliance program in place for regulated outsourcing and delegation arrangements but other requirements and expectations of the ECB may be quite technical and prescriptive. As with recent ECB rulemaking instruments or other guidelines that however set supervisory expectations and may read like rulebooks, the TIBER-EU Framework and the Procurement Guidelines use the verb "should" which in most cases means "shall"3 or "must".  In certain languages, "should", is read to imply a degree of optionality. At present, the TIBER-EU Framework nor the Procurement Guidelines refer to international work of say the Financial Stability Board, who on 2 July 2018 launched its own consultation on a "Cyber Lexicon"4 of ca. 50 core terms relevant to cyber-security and cyber-resilience.  

What do the Procurement Guidelines require?  

The Procurement Guidelines emphasize the need for in-scope entities, in particular, those that plan to apply the TIBER-EU Framework to their global operations, that they must observe all obligations applicable to them. The Procurement Guidelines are currently split into the following three parts:

  1. Stipulate requirements and standards that RT/TI providers must meet to deliver recognized TIBER-EU tests;
  2. Offer guiding principles and selection criteria that in-scope entities should observe, in addition to requirements in respective and applicable legal and regulatory requirements, when procuring services from prospective RT/TI providers; and
  3. Provide questions and checklists relevant for contractual arrangements that entities are free to apply in their due diligence and when formalizing the procurement process with RT/TI providers.

The role of the TI provider

Conducting effective red teaming and cyber-resilience risk assessments in a manner that meets the expectations set by the TIBER-EU Framework requires accurate threat intelligence. TI providers thus play an important role.  The Procurement Guidelines specifically state:

"Creating accurate and realistic threat intelligence is a complex activity. This means that the TI provider must have adequate knowledge of the threat actors, their motives and their TTPs [tactics, techniques and procedures], as well [as] an understanding of how the core elements of the financial system interact and operate. In addition, the TI provider must have a good insight into the targeted entity. It needs to know for example: what the target's critical functions are; how the target operates; who the crucial employees are and whether they are "usable" for the attack; and what the target's vulnerabilities are."

Comprehensive threat intelligence assists the RT provider with quality information allowing it to simulate a real life and realistic attack on the entity's live systems that underpin the "critical functions" and their cyber-resilience, which is the ethos of what the TIBER-EU Framework aims to test. The Procurement Guidelines set out that the TI provider meet the following qualitative requirements and, where possible, only accredited and certified TI providers should be chosen. 

The Procurement Guidelines clarify that the ECB expects in-scope entities to:

  1. Document the due diligence conducted prior to selecting a provider –preferably using the questions in the Annex
  2. Evidence how TI providers meet the following requirements in the table below
  3. Monitor and record how the TI provider performs against key performance indicators in service level agreements:
Who? Requirements to be fulfilled according to Procurement Guidelines
The TI provider(at the company level)
  • At least three references from previous assignments related to threat intelligence-led red team tests
  • Adequate indemnity insurance in place to cover activities that were not agreed upon in the engagement and service level arrangements and/or which stem from misconduct, negligence etc.
  • Evidence a robust understanding and application of information governance, security and risk management
  • Adhere to professional codes of conduct such as the Code of Conduct for Ethical Security Testers or the Open Source Intelligence and Research Association's - OSIRA Code of Conduct
The TI provider's Threat Intelligence Manager (the TIM) designated for the TIBER-EU test and responsible for its end to end management
  • The TIM leads and has oversight of the TI provider's activities for delivering a TIBER-EU test
  • The TIM must have sufficient experience in threat intelligence – the expectation is at least five years of experience in threat intelligence, of which at least three years are in producing threat intelligence in the financial services industry
  • The TI provider will provide:
    • a current CV of the TIM and at least three references in relation to the TIM's work on previous assignments and specifically red team testing
    • background checks on the TIM – which may be simplified and/or enhanced disclosure
  • The TIM must have appropriate recognized qualifications and certifications (as set out in Annex 1 to the Procurement Guidelines)
The TI provider's Threat Intelligence Team (the TIT)5 (all members other than TIM responsible for delivering the TIBER-EU test
  • The TIT must collectively evidence sufficient experience and each member must have at least two years of experience delivering threat intelligence services
  • The TI provider must provide a current CV for each team member as well as background checks
  • The relevant team composition should be multi-disciplinary and evidence a broad range of skills, including "OSINT, HUMINT and geopolitical knowledge." OSINT refers to open source intelligence gathering of information derived from public and/or predictive sources. HUMINT refers to "human intelligence" gathering of data. The Procurement Guidelines' "Recommended Questions" also refer to SIGINT i.e. signals intelligence capabilities
  • Ideally the team members are expected to have appropriate recognized qualifications and certifications for threat intelligence and professional experience in delivering threat intelligence for red team tests

The Procurement Guidelines are quite prescriptive in what characteristics the TI provider must comply with when compiling threat intelligence. It also requires that the threat intelligence report be delivered in a manner that complies with the EU's General Data Protection Regulation (GDPR).

The role of the RT provider

RT providers plan and execute a TIBER-EU test on the target's systems, services, processes, technologies and people that have been agreed as being in scope of the exercise. As the test builds on the report of the TI provider, it differs from conventional resilience testing in that it aims to mimic the tactics employed by a real-life attacker targeting an entities critical functions.

The Procurement Guidelines therefore expect that RT and TI providers demonstrate a willingness to work closely with one another in preparing the Red Team Test Plan as well as prior to and during the test phase itself and ultimately when delivering the Final Report.

As with the expectations set of the TI provider and standards to follow prior to and during the appointment, the Procurement Guidelines sets the following requirements that a RT provider must be able to fulfil: 

Who? Requirements to be fulfilled according to Procurement Guidelines
The RT provider
(at the company level)
  • At least five references from previous assignments related to intelligence-led red team tests
  • Adequate indemnity insurance in place to cover activities that were not agreed upon in the engagement and service level arrangements and/or which stem from misconduct, negligence etc.
  • Evidence a robust understanding and application of information governance, security and risk management
  • Adhere to professional codes of conduct such as the Code of Conduct for Ethical Security Testers or the Open Source Intelligence and Research Association's - OSIRA Code of Conduct
The RT provider's Red Team Test Manager (the RTTM) designated for the TIBER-EU test and responsible for its end to end management
  • The RTTM leads and has oversight of the TI provider's activities for delivering a TIBER-EU test
  • The RTTM must have sufficient experience in red team testing – the expectation is at least five years of experience in testing, of which at least three years are in leading red team tests in the financial services industry
  • The RT provider will provide:
    • A current CV of the RTTM and at least three references in relation to the RTTM's work on previous assignments and specifically red team testing
    • Background checks on the RTTM – which may be simplified and/or enhanced disclosure
  • The RTTM must have appropriate recognized qualifications and certifications (as set out in Annex 1 to the Procurement Guidelines)
The TI provider's Red Team (all members other than RTTM responsible for delivering the TIBER-EU test
  • The Red Team must collectively evidence sufficient experience, and each member must have at least two years of experience delivering red team testing
  • The RT provider must provide a current CV for each team member as well as background checks
  • The relevant team composition should be multi-disciplinary and evidence a broad combination of skills, including reconnaissance, threat intelligence, risk management, exploit development, vulnerability analysis, penetration testing, social engineering etc.
  • Ideally the team members are expected to have appropriate recognized qualifications and certifications

The Procurement Guidelines place an emphasis on TI providers but notably RT providers' multilingual capabilities as well as an expectation that they have a breadth of experience in financial services but also in other sectors. This aims to ensure that providers can borrow tactics and adapt these to TIBERU-EU tests. 

Language plays an important part in this, as simulated social engineering attacks, which attempt, by fraudulent means, to obtain sensitive information (log-ins, account details etc.), such as "phishing" need to use language in a manner that is plausible.

Recommended questions and checklists

The Annex to the Procurement Guidelines contain, in addition to a list of certifications and qualifications that relevant team members at RT/TI providers should evidence, recommended questions that in-scope entities can use when selecting providers. Specific requests, which may go beyond existing EU and national level requirements, are for the provider to supply its recruitment policy and process or for providers to also disclose details/results of independent audits of its information security system. 

The Annex also contains a checklist that essentially has heads of terms for the service level agreement to be put in place with the relevant RT/TI provider. The Checklist places a strong emphasis on detailed information security measures and screening of employees to be put in place, detailed measures on whom information can be shared with and when as well as incident response management, continuity of services and exit clauses as they relate to data destruction and more generally.

Outlook

The Procurement Guidelines are just one part of the TIBER-EU Framework. This is a framework, which is expected to evolve in depth and scope of application over time and do so in line with the growing importance of cyber-resilience testing for the ECB as supervisor, financial stability oversight actor and as central bank. Whilst the Procurement Guidelines may be quite prescriptive in parts, some of this may actually be quite welcome in setting goalposts and allowing clients and service providers to engage on more standardized terms.  

For in-scope entities, whether as existing or potential clients of RT/TI providers, much of the compliance challenge will likely be in ensuring that the selection and decision-making process when retaining providers meets the expectations set in the TIBER-EU Framework as a whole. Depending on the extent of measures in place, it may be prudent to diligence relevant existing providers anew so as to meet the expectations of the Procurement Guidelines formally. For RT/TI service providers the Procurement Guidelines present an opportunity to have a much more structured road map on compliance expectations and service level performance monitoring. Some providers may want to consider how to reflect how they meet the ECB's expectations and possibly also have a standardized Fact Sheet detailing key information and responding to the Questions and Checklists set in the Procurement Guidelines' Annex. 

Lastly, the ECB may over time become more vocal on where RT/TI providers corporate domicile are located or where the testing facilities are located. This could mean that more specific expectations are communicated beyond "just" the requirement to comply with GDPR or evidence sufficient multilingual capabilities—read proficiency in one or more languages of the EU.

If you would like to discuss any of the items mentioned above or how the TIBER-EU Framework and the ECB's cyber-resilience expectations may affect your business more generally, please contact our Eurozone Hub key contacts.

Footnotes

1 See our dedicated coverage from our Eurozone Hub: https://www.dentons.com/en/insights/articles/2018/july/17/central-bank-of-cyber

2 The ECB, in its Banking Union capacity, itself states that it monitors how Banking Union supervised institutions manage their IT risks. This includes cyber-security and thus cyber-resilience. This includes:

  • Continuous off-site supervision and risk assessments;
  • Thematic and horizontal reviews of focus areas (e.g. cyber security, IT outsourcing, data quality); and
  • Targeted on-site inspections (on IT risk areas in general, but also focused on IT security and cyber risk).

3 From where the verb derives its origin.

4 See: http://www.fsb.org/2018/07/cyber-lexicon-consultative-document/

5 For close followers of ECB rulemaking, both in central bank and supervisory capacity, the fact that the ECB does like a good acronym should come as no surprise.

Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.