Cyber Risk

The European Central Bank (ECB) earlier this year launched the first cross-border framework for the standardisation and coordination of cyber defence testing for financial institutions. This could well provide a blueprint for the global standard that has hitherto been absent, benefiting cross-border firms and more generally improving the sector’s cyber resilience. In this blog, we explore the latest European developments and consider what they could mean in this regard. Different regimes are already emerging around the world, but establishing certain commonalities could form the basis of an international approach.

Core components of the ECB’s framework

Supervisors are rapidly adopting cyber defence testing programmes, in particular for firms critical to the real economy and the stability of financial markets. To date, however, this has mostly been a ‘bottom-up’ process, led by individual countries that were early leaders in the field, rather than the requirements having cascaded down from international standards. Not only is this approach potentially more costly for firms operating in multiple jurisdictions, but also inhibits adoption of leading practice and sits at odds with the fact that cyber attacks seldom respect external borders. There is, therefore, a clear case for more international coordination.

The ECB’s framework for Threat Intelligence-Based Ethical Red-teaming (TIBER-EU) has been put in place to prevent overlapping or incompatible national testing standards being developed by individual EU Member States. The framework establishes a standardised but adaptable testing regime for supervisors to verify firms’ cyber defences.  Going further than simply creating common standards, it includes a mechanism for centralising and analysing information gathered through the tests. This information can then be analysed by supervisors and, where appropriate, disseminated to market participants, in order to capture ‘lessons learned’ to inform and refine supervisory and industry practices.

The framework is also intended to increase collaboration between national authorities, and could ultimately ease the burden on firms that have substantial operations in multiple EU countries, including by establishing a mechanism enabling the cross-border recognition of TIBER tests carried out by a national supervisor.

TIBER-EU builds on pre-existing national-level initiatives, including the UK’s CBEST and the Dutch TIBER-NL programmes. At its core, TIBER-EU is:

  • an intelligence-led red-team testing regime based on minimum standards established by the ECB;
  • implemented and carried out by national supervisors, and monitored across the EU by the ECB, which will also supervise its own tests for certain financial market infrastructures (FMIs);
  • an information analysis and dissemination mechanism, managed by the ECB’s newly established TIBER-EU Knowledge Centre; and
  • an adaptable, principles-based framework meant to be versatile enough to be applied to any kind of financial entity, not just banks or FMIs

The TIBER-EU framework is expected to be used for regimes developed by individual Member States across the EU. The implementation of ‘TIBER-XXs’ (‘XX’ refers to the country code of the jurisdiction that implements a version of the framework) will be at the initiative of national governments and regulators. Importantly, this means that TIBER-EU will not ‘kick-in’ at a specified date – instead, firms need to look for early adopters of the framework and map out opportunities for the cross-border recognition of tests carried out. The Netherlands have been implementing TIBER-NL, and we are likely to see additional TIBER-XX’s being set up in 2019, with Belgium and Denmark introducing their own frameworks first1

The development of an EU-wide TIBER framework will not, however, come without its challenges. The risk of nationally-led approaches leading to important inconsistencies, for example in the qualification requirements for practitioners carrying out the tests, can be expected to challenge authorities and firms alike as implementation proceeds.

A global challenge

Despite the clear need, international standards on cyber defence testing have been slow to materialise. The Financial Stability Board (FSB), which mirrors the membership of and reports to the G20, has increased its focus on cyber risk recently. Its current initiative to develop a Cyber Lexicon, whilst a necessary building block for cooperation, ultimately represents a lower degree of cross-border coordination of supervisory activity compared to the work being done by the ECB.

There is cause for concern here. In addition to the issues mentioned above, countries faced with inconsistent standards abroad may be incentivised to take steps to protect their own industries and ‘ring-fence’ data, services and systems within their jurisdiction. Were these restrictions to become overly burdensome and sufficiently widespread, this would be a very challenging trend for financial services firms to deal with while maintaining globally-integrated business models, complicating data and systems management.

Where the G20 might be slower to act, the G7 could more swiftly follow-up on earlier work by its Cyber Expert Group on ‘Fundamental Elements of Cybersecurity for the FS Sector’. Using the ECB’s TIBER-EU framework as a model, and looking at other schemes that are being set up, the G7 could set out a common framework. Developing voluntary common standards, a recognition mechanism and a system for safely sharing lessons-learned from tests (so long as they remain sufficiently high-level) would be an achievable first step. While this would fall short of creating a single global cyber defence testing scheme, it would nevertheless be a practical step forward for the development of international standards and coordinated action and could produce a more consistent approach to strengthening the cyber defences of cross-border firms.

This could enable different but similar regimes, such as the CFTC security testing in the U.S., and TIBER-EU to be brought under an international umbrella. Both require some form of external testing, conducted by independent contractors, but differences exist, such as in the frequency of the tests and whether they are compulsory.

Beyond red-team testing

Cyber defence testing represents only an initial step in the work needed to create a financial sector more resilient to cyber-attacks. A much needed next step in the development of an international framework to enhance the sector’s resilience to this threat will be to create common procedures or leading practices for how to respond to cyber-attacks once they occur, and to re-enforce these over time with cross-border ‘real adversarial’ simulations simultaneously carried out by firms and authorities in several key jurisdictions.

The FSB’s recently announced plans to launch a project in 2019 to develop cyber response ‘effective practices’ is an encouraging sign that global authorities will place a greater emphasis on this in their future work. 

____________________________________________________________________________

 1https://www.dnb.nl/en/news/nieuwsbrief-betalingsverkeer/Juni2018/index.jsp

 

 

David



David Strachan - Head of EMEA Centre for Regulatory Strategy, Deloitte

David focuses on the impact of regulatory changes - both individual and in aggregate - on the strategies and business/operating models of financial services firms. David joined Deloitte after 12 years at the FSA, where in his last role, Director of Financial Stability, he worked on the division of the FSA into the PRA and the FCA.

Email | LinkedIn

Picture1

Nick Seaver - Partner, Cyber Risk Services, Deloitte

Nick is a partner within Deloitte and leads Deloitte UK's Cyber Risk services within the financial services industry. Nick is also Deloitte's Banking Cyber Risk leader across EMEA. In addition to his client work, Nick has significant internal responsibilities around team leadership, marketing and business development. Nick is a board member of the Institute of Information Security Professionals (IISP), holding the position of treasurer. In addition to his technology qualifications, Nick is a qualified accountant (FCCA), holds a Masters degree in Engineering and Management and an Masters in Business Administration.

Email | LinkedIn

Stephen


Stephen Bonner - Partner, Cyber Risk Services, Deloitte

Stephen is a Partner within Deloitte’s Cyber Risk Services practice with over 5 years of security consulting experience and over 20 years of financial services industry experience. In particular, Stephen ran global security teams and was accountable for Cyber Security, Records Management, Data Privacy and IAM for a global FS institution. He also led IT Security for a derivatives exchange for four years.

Email | LinkedIn

Scott Martin

Scott Martin - Senior Manager, EMEA Centre for Regulatory Strategy

Scott is a Senior Manager in the Centre for Regulatory Strategy advising on international banking regulation, with a particular focus on bank capital, strategy, cyber risk and public policy-making processes. Before joining Deloitte in 2015, he worked in Brussels as an EU regulatory strategist advising a number of global systemically important banks and other financial institutions. He is a graduate of the London School of Economics and previously spent a number of years working as a political advisor to Canada’s Minister of Finance and Minister of Foreign Affairs.

Email | LinkedIn

Quentin



Quentin Mosseray - Senior Associate, Centre for Regulatory Strategy, Deloitte

Quentin is an Senior Associate in Deloitte’s Centre for Regulatory strategy, where he focuses on insurance and cyber regulation. He joined Deloitte in 2017 after completing a Masters in Law and Economics, and also holds a double degree in International Relations from the Free University of Brussels and the LUISS University in Rome

Email | LinkedIn

Comments

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated, and will not appear until the author has approved them.