Digitalization of the financial sector | Opportunities & cyber risks | TIBER-EN
The increasing digitalization of the financial sector not only creates new opportunities, but also brings with it increased cyber risks. In particular, attacks on the financial system can have serious consequences not only for the company concerned, but also for the public as a whole. The central banks of the European System of Central Banks therefore launched the TIBER-EU (Threat Intelligence-based Ethical Red Teaming) program back in 2018. TIBER-EU serves as a framework for threat-based penetration tests.
In summer 2019, the Deutsche Bundesbank and the Federal Ministry of Finance (BMF) decided to implement this framework nationally with TIBER-DE, which enables financial companies to test their own resilience to cyberattacks. This has now been implemented.
Who is TIBER-DE aimed at?
TIBER-DE is aimed in particular at critical companies in the financial sector, such as large banks and insurers as well as their IT service providers and payment service providers. In its TIBER implementation, the Deutsche Bundesbank emphasizes that the purpose of conducting TIBER-DE tests is to “establish a network of national companies belonging to the target group in order to jointly and cooperatively improve the cyber resilience of the financial sector by conducting TIBER-DE tests”.
What happens in a test?
In a TIBER-DE test, commissioned hackers (“Red Team”) check the cyber resilience of a company based on information from a threat intelligence provider (“spy”). The primary aim is to identify security gaps in the production systems (“critical functions”) in the context of an attack scenario that is as real as possible. The TIBER-DE test consists of three phases, which are presented here in abbreviated form:
- The initiation, kick-off, determination of the scope of the test and procurement take place in the preparation phase. In particular, the relevant contracts are concluded with all parties involved, the scope of the test is defined and the financial supervisory authority is informed of the intended TIBER-DE test.
- In the test phase, information on the threat situation is collected and the Red Team penetration test is carried out on the basis of the previously defined test scope.
- Finally, the final phase includes the creation of test reports, a replay and feedback, a remediation plan for any weaknesses found, a final report and certification including the transfer of results.
Risks of the test
The TIBER-DE test is aimed at the productive systems with the “critical functions” of an institute in order to be able to realistically assess their cyber resilience. However, this also entails risks, e.g. with regard to the confidentiality, integrity or availability of the data or systems. In any case, the institution must carry out a detailed risk analysis before conducting a test and take appropriate measures to minimize risks.
In addition, companies are faced with organizational, technical and data protection-related challenges. Critical business processes must be identified and defensive measures must be established and documented. In addition, TIBER-DE tests must be coordinated with the various affected stakeholders, e.g. service providers. Furthermore, a confidentiality obligation must be observed on all sides.
At present, participation in these tests is on a voluntary basis. Together with the not inconsiderable risks, this appears to be the reason for the reluctance to carry out a TIBER-DE test.
Together to the successful TIBER-DE test
SRC’s experts can work with you to prepare a TIBER test. This includes enterprise-wide scoping of the critical business processes to be tested and support in establishing compliant reporting channels and processes to manage and execute TIBER testing. This means that the internal preparations have been made to have a TIBER-compliant penetration test performed via a service provider. With our experience from countless penetration tests, bank compliance and information security management projects, we are happy to support you through the entire process of a TIBER test.
