Threat Intelligence-based Ethical Red Teaming (TIBER) is increasingly being used by supervisors to enhance the preparedness and resilience of financial services firms to cyber attacks. Recent regulatory trends point to these tests increasing in popularity and frequency in the coming years. Boards may not only need to oversee such exercises regularly, but also demonstrably use the lessons learned in their firm’s cyber and operational resilience strategies. Senior managers (such as CIOs, CISOs, or in a smaller number of cases, CROs) will need to make the case to their boards that these are a valuable use of often constrained resources.
TIBER exercises can be costly and intensive programs that require close coordination with internal teams and external stakeholders. Firms can extract more value from these by not seeing them simply as self-contained tests. The different phases of the test, as well as the results, can provide valuable insights into areas such as a firm’s operational resilience, its exposure to financial crime, and its readiness to carry out large IT change programmes. Our experience is that they can act as wake-up calls, revealing sometimes unknown, large scale (and holistic) vulnerabilities. This can act as a trigger for more effective cyber transformation programmes.
Boards that prepare their firms for these tests, and understand how the results can feed into their overall business and IT strategy will adapt with more agility to what will become a more frequently required exercise in future.
The TIBER test landscape is evolving
TIBER tests are currently carried out only by the largest FS firms and financial market infrastructures, largely on a voluntary basis, or through persuasion. This is changing.
- In the UK, CBEST is being expanded to a larger number of firms. The Financial Conduct Authority (FCA) announced in its business plan that it would be using “regular CBEST testing for a larger number of priority firms beginning in 2019/20”. The Bank of England (BoE) has, in its response to the Future of Finance report, announced it will evaluate whether CBEST exercises should be carried out on a more frequent basis.
- The European Banking Authority’s (EBA) ICT and security risk guidelines, which become applicable at the end of June, specify that firms should carry out TIBER tests when appropriate, potentially on an annual basis for critical ICT systems.
- Similarly, the European Insurance and Occupational Pensions Authority (EIOPA) is considering recommending its use by insurers in certain circumstances in its draft ICT Security and Governance guidelines, likely to apply from July 2020.
- TIBER tests may well be included into an upcoming EU legislation on cybersecurity in the financial sector. The European Commission is currently consulting on a Digital Operational Resilience Framework for financial services, which could include a testing framework across all financial sectors in the next couple of years.
This rising tide is already being felt by some firms in jurisdictions that have adopted the TIBER-EU framework established in 2018 by the ECB. Belgium, for example, is implementing TIBER-BE for critical market infrastructures. Denmark has also introduced TIBER-DK (and includes the participation of major banks), and Sweden has followed suit. As supervisors continue to roll-out and hone this tool, more firms will be encouraged – and then likely asked – to carry these tests out.
Rather than seeing these tests as siloed exercises done to meet supervisory expectations, firms should embrace them as ‘points of the spear’ initiatives that, rather than simply honing their capacity to identify and contain a digital security breach, can be a critical part of enhancing the cyber and operational resilience maturity of the firm as a whole.
TIBER tests should feed into multiple strategic issues
Firms that use TIBER tests to do more than address the deficiencies directly identified in the exercise will extract maximum value from what can be expensive endeavours. Showing how the tests, and the remediation strategies stemming from them, feed into investment decisions will also reassure a firm’s supervisors. Supervisors are likely to challenge firms that simply go back to business as usual after a TIBER test, or only address the deficiencies directly linked the compromised IT systems without addressing ‘bigger-picture’ vulnerabilities that underlie them. They might also consider such firms less mature in terms of their cyber resilience strategies.
In our experience, we see the following areas as those that TIBER tests can best feed into:
- Operational resilience strategy. TIBER tests will inform how well internal escalation processes are working, and what might need to change. The tests do not aim to affect live production systems. But they will provide insights about a firm’s processes, for example revealing that information about a breach does not reach all the relevant stakeholders in a timely manner, leading to an affected system still being actively used by a department unaware of the security breach. This could lead to the firm deciding to engage in a wider project to better map how different critical systems are used.
Firms can carry out ‘what-if’ table-top exercises focusing on recovery, or find alternative ways to deliver important business services based on the systems accessed in a TIBER test becoming unavailable or compromised. Furthermore, TIBER test may reveal segregation issues between main and back-up systems underpinning an important business service.
Overall, they can serve – alongside other tools - as a sense-check on a firm’s operational resilience framework.
- Financial crime and fraud controls. Cyber attacks can act as an entry point or enabler for financial crime. Putting a financial crime lens on TIBER test results could highlight other business and risk areas, such as privileged access management issues. TIBER outcomes could also feed into insider risk mitigation, as financial crime seeks to abuse the functionality of certain users (such as accepting fake clients, or approving illicit transactions – comparable to an insider turned rogue). A more holistic red team approach across cyber, fraud and AML would likely identify the full criminal cycle of many of the more sophisticated criminal intrusions affecting banks.
- IT change strategies. Insights from the two previous points can be incorporated into security-by-design features when a firm embarks on a digital transformation program. Having an ‘in practice’ view of how systems are compromised, including the social engineering methods that could be used to exploit vulnerabilities, could indicate the need for extra - or different - types of controls (such as stricter change management of automated software deployment) on certain critical processes. It can serve as an eye-opener on a firm’s system’s complexity, and build a case for prioritising IT security change programs on certain IT systems or processes.
Finally, TIBER tests will likely affect many different parts of an organisation, directly or indirectly. TIBER-prompted remediation can be used to create or solidify communication and collaboration between teams that will need to work together for the planning and safe execution of future IT change programs.
How can executives start planning for the future of TIBER tests?
The EBA’s final guidelines, and the upcoming EIOPA guidelines, will already make TIBER tests relevant to a larger number of firms than today. However, the roll-out will be gradual as supervisors build-up their internal expertise, set up teams to manage relationships with both firms and ethical hackers, and decide on what the best governance arrangements for these tests are (such as whether it is the supervisory authority or the central bank which should coordinate tests).
Firms should seize the opportunity to start building their own programs for TIBER tests, if they have not yet started doing so. The following steps can form the basis for preparing effectively for them in future:
- Carry out related but less invasive types of tests. TIBER tests are arguably the most advanced type of cyber testing. Firms that already conduct vulnerability scanning, penetration testing, and other important but less invasive types of cyber tests will have laid the foundations, and create a culture that will facilitate their move towards TIBER testing.
- Ensuring buy-in from the board. TIBER tests and their remediation plans should form part of an IT strategy and feed into other IT strategy areas of the firm. They can be costly and need to be carefully planned, but will be better value for money if done thoroughly and supported by an adequate budget. Firms that have a dedicated cyber expert or ‘champion’ on the board will better translate the value of these tests to the rest of their board members.
- Communicating early with their supervisors about the purpose and rollout of these tests. Firms that have cross-border operations should engage early with their supervisors in different jurisdictions. Ensuring coordination across geographies when possible may be lengthy, but can pay off by reducing duplicative exercises. The ECB has made TIBER tests mutually recognisable by different jurisdictions, so long as the firm that carries them out complies with all the mandatory requirements of the TIBER-EU framework. This is a good step forward. However, it will not happen automatically and necessitates close coordination between the ECB, local authorities, and the firm in question.
The use of TIBER testing as a supervisory tool is still maturing, and the EU’s approach to regulating cybersecurity in the financial sector will still be years in the making. However, TIBER tests are very likely to become a more prominent part of the supervisory toolkit going forward. The evolution of digital business strategies, cloud adoption and the constant mutation of the technology threats firms will face make this an inevitable outcome. Firms that put in place the right programmes early on, and recognise the tests’ value to strengthen their overall cyber and operational resilience strategies will face this change more confidently.