The European Central Bank (ECB) earlier this year launched the first cross-border framework for the standardisation and coordination of cyber defence testing for financial institutions. This could well provide a blueprint for the global standard that has hitherto been absent, benefiting cross-border firms and more generally improving the sector's cyber resilience. In this blog, we explore the latest European developments and consider what they could mean in this regard. Different regimes are already emerging around the world, but establishing certain commonalities could form the basis of an international approach.
Core components of the ECB's framework
Supervisors are rapidly adopting cyber defence testing programmes, in particular for firms critical to the real economy and the stability of financial markets. To date, however, this has mostly been a 'bottom-up' process, led by individual countries that were early leaders in the field, rather than the requirements having cascaded down from international standards. Not only is this approach potentially more costly for firms operating in multiple jurisdictions, but also inhibits adoption of leading practice and sits at odds with the fact that cyber attacks seldom respect external borders. There is, therefore, a clear case for more international coordination.
The ECB's framework for Threat Intelligence-Based Ethical Red-teaming (TIBER-EU) has been put in place to prevent overlapping or incompatible national testing standards being developed by individual EU Member States. The framework establishes a standardised but adaptable testing regime for supervisors to verify firms' cyber defences. Going further than simply creating common standards, it includes a mechanism for centralising and analysing information gathered through the tests. This information can then be analysed by supervisors and, where appropriate, disseminated to market participants, in order to capture 'lessons learned' to inform and refine supervisory and industry practices.
The framework is also intended to increase collaboration between national authorities, and could ultimately ease the burden on firms that have substantial operations in multiple EU countries, including by establishing a mechanism enabling the cross-border recognition of TIBER tests carried out by a national supervisor.
TIBER-EU builds on pre-existing national-level initiatives, including the UK's CBEST and the Dutch TIBER-NL programmes. At its core, TIBER-EU is:
- an intelligence-led red-team testing regime based on minimum standards established by the ECB;
- implemented and carried out by national supervisors, and monitored across the EU by the ECB, which will also supervise its own tests for certain financial market infrastructures (FMIs);
- an information analysis and dissemination mechanism, managed by the ECB's newly established TIBER-EU Knowledge Centre; and
- an adaptable, principles-based framework meant to be versatile enough to be applied to any kind of financial entity, not just banks or FMIs
The TIBER-EU framework is expected to be used for regimes developed by individual Member States across the EU. The implementation of 'TIBER-XXs' ('XX' refers to the country code of the jurisdiction that implements a version of the framework) will be at the initiative of national governments and regulators. Importantly, this means that TIBER-EU will not 'kick-in' at a specified date – instead, firms need to look for early adopters of the framework and map out opportunities for the cross-border recognition of tests carried out. The Netherlands have been implementing TIBER-NL, and we are likely to see additional TIBER-XX's being set up in 2019, with Belgium and Denmark introducing their own frameworks first1
The development of an EU-wide TIBER framework will not, however, come without its challenges. The risk of nationally-led approaches leading to important inconsistencies, for example in the qualification requirements for practitioners carrying out the tests, can be expected to challenge authorities and firms alike as implementation proceeds.
A global challenge
Despite the clear need, international standards on cyber defence testing have been slow to materialise. The Financial Stability Board (FSB), which mirrors the membership of and reports to the G20, has increased its focus on cyber risk recently. Its current initiative to develop a Cyber Lexicon, whilst a necessary building block for cooperation, ultimately represents a lower degree of cross-border coordination of supervisory activity compared to the work being done by the ECB.
There is cause for concern here. In addition to the issues mentioned above, countries faced with inconsistent standards abroad may be incentivised to take steps to protect their own industries and 'ring-fence' data, services and systems within their jurisdiction. Were these restrictions to become overly burdensome and sufficiently widespread, this would be a very challenging trend for financial services firms to deal with while maintaining globally-integrated business models, complicating data and systems management.
Where the G20 might be slower to act, the G7 could more swiftly follow-up on earlier work by its Cyber Expert Group on 'Fundamental Elements of Cybersecurity for the FS Sector'. Using the ECB's TIBER-EU framework as a model, and looking at other schemes that are being set up, the G7 could set out a common framework. Developing voluntary common standards, a recognition mechanism and a system for safely sharing lessons-learned from tests (so long as they remain sufficiently high-level) would be an achievable first step. While this would fall short of creating a single global cyber defence testing scheme, it would nevertheless be a practical step forward for the development of international standards and coordinated action and could produce a more consistent approach to strengthening the cyber defences of cross-border firms.
This could enable different but similar regimes, such as the CFTC security testing in the U.S., and TIBER-EU to be brought under an international umbrella. Both require some form of external testing, conducted by independent contractors, but differences exist, such as in the frequency of the tests and whether they are compulsory.
Beyond red-team testing
Cyber defence testing represents only an initial step in the work needed to create a financial sector more resilient to cyber-attacks. A much needed next step in the development of an international framework to enhance the sector's resilience to this threat will be to create common procedures or leading practices for how to respond to cyber-attacks once they occur, and to re-enforce these over time with cross-border 'real adversarial' simulations simultaneously carried out by firms and authorities in several key jurisdictions.
The FSB's recently announced plans to launch a project in 2019 to develop cyber response 'effective practices' is an encouraging sign that global authorities will place a greater emphasis on this in their future work.