Tag Archive for: finance sector

Homepage Admin

Opera­tional Resilience — Cyber resilience require­ments for institutions

Current key topics: Opera­tional Resilience and Cybersecurity

Attacks on the financial system can have serious conse­quences — not only for the affected company, but also for the entire public. Experts at the Bundesbank and security experts at BaFin and the ECB also cite cyber attacks and a lack of resilience to such attacks as the greatest threat posed by increasing digiti­zation in the financial sector. This is one of the reasons why more legal and regulatory frame­works are being created in order to establish uniform standards across the entire financial sector and increase the „opera­tional resilience“.

For both the ECB and BaFin, the focus in 2020 was on “opera­tional resilience” and “cyber­se­curity”. In addition, the TIBER-EU program was launched at European level, which the Bundesbank imple­mented as TIBER-DE in September 2020. Alongside this, the EU published its require­ments for opera­tional resilience and cyber­se­curity in October 2020 as part of the Digital Finance Package in the form of DORA (Digital Opera­tional Resilience Act).

The question for those respon­sible is how these various activ­ities interact and — even more relevant — how efficiently they contribute to the achievement of the objectives.

Revision of MaRisk and BAIT — Opera­tional IT Security

Domes­ti­cally, BaFin published its approaches to addressing opera­tional IT risks in October with the amendment of MaRisk and BAIT. The impor­tance of the topic is evident in the expansion of the BA IT require­ments as part of a new chapter. Imple­menting the specific require­ments formu­lated there is likely to pose major challenges on smaller and medium-sized insti­tu­tions, as they are aimed at operating a security infor­mation and event management system (SIEM), setting up and operating a security opera­tions center (SOC), as well as regular internal deviation analyses, vulner­a­bility scans, penetration tests and the simulation of attacks (“red teaming”). In practical terms, this requires the estab­lishment of a profes­sional cyber security department as well as independent internal infor­mation security struc­tures. This will pose major challenges on the insti­tu­tions concerned, due to the required expertise and limited resources on the labor market alone. Emergency management — also in a separate new chapter in the BA IT — is addressed as a further focal point.

The TIBER Program of the ECB and the Bundesbank

Back in 2018, the central banks of the European System of Central Banks launched the TIBER-EU (Threat Intel­li­gence-based Ethical Red Teaming) program. TIBER-EU serves as a framework on threat-led penetration testing that financial insti­tu­tions can use to put their own resilience to cyber­at­tacks to the test. The goal here is to create a “gold standard” of penetration testing. The clear reluc­tance to partic­ipate in TIBER-DE can be explained on the one hand by the complex scope of the project, the signif­icant risks and, on the other hand by the “voluntary nature” of partic­i­pation. Of course, especially in 2020, many internal forces are tied up elsewhere, also due to the Covid pandemic. The question arises as to whether the insti­tu­tions subjec­tively perceive the risk of a cyber attack as critically.

Digital Opera­tional Resilience Act (DORA) of the EU

With the publi­cation of the Digital Finance Package, the EU regulatory framework on digital opera­tional resilience contains a compre­hensive legislative proposal for the Europe-wide prevention and reduction of cyber risks. Up to now, national regula­tions for opera­tional resilience have been in place, but they do not do justice to the cross-border and global use of IT systems and are therefore not very effective. Moreover, this fragmen­tation also carries the risk of incon­sis­tencies and is also associated with additional high expenses for insti­tu­tions operating across Europe.

It is therefore highly desirable to strive for uniform regula­tions with DORA, in particular for risk management, testing, outsourcing emergency and incident management. In addition to improving and optimizing the resilience of the IT systems used, a signif­icant reduction in admin­is­trative effort for the insti­tu­tions will certainly also be achieved.

Increasing Cyber Resilience together

The SRC experts will gladly discuss the new devel­op­ments and their impact on the legal and regulatory level with you. Together we analyze your need for action and support you in the imple­men­tation. We evaluate the amendment of MaRisk and BA IT for your insti­tution, support you in the prepa­ration, execution and analysis of TIBER tests and analyze the planned require­ments of DORA. You can draw on our experience from countless penetration tests, banking compliance and infor­mation security management projects.

TIBER-DE
Homepage Admin

TIBER-DE | Increasing the cyber resilience of the financial system

Digiti­sation of the financial sector — Chances & cyber risks

The increasing digital­i­sation of the financial sector not only provides new oppor­tu­nities, but also leads to increased cyber risks. In particular, attacks on the financial system can have serious conse­quences not only for the affected company, but also for the entire public. For this reason, the central banks of the European System of Central Banks have already launched the TIBER-EU (Threat Intel­li­gence-based Ethical Red Teaming) programme in 2018. TIBER-EU serves as a framework for threat-based penetration tests.

In the summer of 2019, the Deutsche Bundesbank and the German Federal Ministry of Finance (BMF) decided to implement TIBER-DE as a national framework for financial companies to test their own resis­tance to cyber attacks. This imple­mention has now taken place.

To whom is TIBER-DE addressed?

TIBER-DE partic­u­larly addresses critical companies in the financial sector, such as large banks and insurance companies and their IT service providers and payment service providers. In its TIBER imple­men­tation, the Deutsche Bundesbank empha­sises that the purpose of conducting TIBER-DE tests is to “establish a network of national companies belonging to the target group in order to improve the cyber-resis­tance of the financial sector in a sustainable and cooper­ative way, together and by conducting TIBER-DE tests.

What happens in a TIBER-DE test?

In a TIBER-DE test, commis­sioned hackers (“Red Team”) use infor­mation from a threat intel­li­gence provider (“spy”) to test the cyber resis­tance of a company. The primary goal is to identify security gaps in the production systems (“critical functions”) within the framework of an attack scenario that is as real as possible. The TIBER-DE test consists of three phases, which are presented here in a shortened form:

  • In the prepa­ration phase the initi­ation, the kick-off, the deter­mi­nation of the test scope and the procurement takes place. In particular, the corre­sponding contracts with all parties involved are concluded, the test scope is deter­mined and the financial super­visory authority is informed about the intended TIBER-DE test.
  • In the test phase, infor­mation on the threat situation is collected and the Red Team penetration test is conducted on the basis of the previ­ously defined test scope.
  • Finally, the final phase includes the prepa­ration of the test reports, a replay and feedback, a remedi­ation plan for found vulner­a­bil­ities as well as a final report and the attes­tation including the transfer of results.

Risks of the TIBER-DE Test

The TIBER-DE test targets the productive systems with the “critical functions” of an institute in order to realis­ti­cally evaluate their cyber-resis­tance. However, this is also accom­panied by risks, e.g. regarding the confi­den­tiality, integrity or avail­ability of the data or systems. In any case, the institute has to perform a detailed risk analysis and take appro­priate measures to minimise the risks before a TIBER-DE test is performed.

Furthermore, companies are confronted with organ­i­sa­tional, technical and data protection challenges. Critical business processes have to be identified, defensive measures have to be estab­lished and documented. In addition, TIBER-DE tests must be coordi­nated with the various stake­holders concerned, e.g. service providers. Furthermore, a confi­den­tiality oblig­ation must be observed by all parties.

Currently the partic­i­pation in TIBER-DE tests is based on a voluntary basis. Along with the not incon­sid­erable risks this seems to be the reason for the hesitation to perform a TIBER-DE test.

Team up for a successful TIBER-DE test

The experts of SRC can prepare a TIBER test together with you. This includes the company-wide scoping of the critical business processes to be tested and support in estab­lishing compliant reporting channels and processes to control and execute TIBER tests. This means that the internal prepa­ra­tions are now in place to have a TIBER-compliant penetration test performed by a service provider. With the experience gained from countless penetration tests, bank compliance and infor­mation security management projects, we are happy to support you through the entire process of a TIBER test.