Digitisation of the financial sector — Chances & cyber risks
The increasing digitalisation of the financial sector not only provides new opportunities, but also leads to increased cyber risks. In particular, attacks on the financial system can have serious consequences not only for the affected company, but also for the entire public. For this reason, the central banks of the European System of Central Banks have already launched the TIBER-EU (Threat Intelligence-based Ethical Red Teaming) programme in 2018. TIBER-EU serves as a framework for threat-based penetration tests.
In the summer of 2019, the Deutsche Bundesbank and the German Federal Ministry of Finance (BMF) decided to implement TIBER-DE as a national framework for financial companies to test their own resistance to cyber attacks. This implemention has now taken place.
To whom is TIBER-DE addressed?
TIBER-DE particularly addresses critical companies in the financial sector, such as large banks and insurance companies and their IT service providers and payment service providers. In its TIBER implementation, the Deutsche Bundesbank emphasises that the purpose of conducting TIBER-DE tests is to “establish a network of national companies belonging to the target group in order to improve the cyber-resistance of the financial sector in a sustainable and cooperative way, together and by conducting TIBER-DE tests.
What happens in a TIBER-DE test?
In a TIBER-DE test, commissioned hackers (“Red Team”) use information from a threat intelligence provider (“spy”) to test the cyber resistance of a company. The primary goal is to identify security gaps in the production systems (“critical functions”) within the framework of an attack scenario that is as real as possible. The TIBER-DE test consists of three phases, which are presented here in a shortened form:
- In the preparation phase the initiation, the kick-off, the determination of the test scope and the procurement takes place. In particular, the corresponding contracts with all parties involved are concluded, the test scope is determined and the financial supervisory authority is informed about the intended TIBER-DE test.
- In the test phase, information on the threat situation is collected and the Red Team penetration test is conducted on the basis of the previously defined test scope.
- Finally, the final phase includes the preparation of the test reports, a replay and feedback, a remediation plan for found vulnerabilities as well as a final report and the attestation including the transfer of results.
Risks of the TIBER-DE Test
The TIBER-DE test targets the productive systems with the “critical functions” of an institute in order to realistically evaluate their cyber-resistance. However, this is also accompanied by risks, e.g. regarding the confidentiality, integrity or availability of the data or systems. In any case, the institute has to perform a detailed risk analysis and take appropriate measures to minimise the risks before a TIBER-DE test is performed.
Furthermore, companies are confronted with organisational, technical and data protection challenges. Critical business processes have to be identified, defensive measures have to be established and documented. In addition, TIBER-DE tests must be coordinated with the various stakeholders concerned, e.g. service providers. Furthermore, a confidentiality obligation must be observed by all parties.
Currently the participation in TIBER-DE tests is based on a voluntary basis. Along with the not inconsiderable risks this seems to be the reason for the hesitation to perform a TIBER-DE test.
Team up for a successful TIBER-DE test
The experts of SRC can prepare a TIBER test together with you. This includes the company-wide scoping of the critical business processes to be tested and support in establishing compliant reporting channels and processes to control and execute TIBER tests. This means that the internal preparations are now in place to have a TIBER-compliant penetration test performed by a service provider. With the experience gained from countless penetration tests, bank compliance and information security management projects, we are happy to support you through the entire process of a TIBER test.