Europe-wide approach for simulating cyber-attacks on financial institutions and market infrastructure
The European Central Bank is seeking to harmonize efforts across Europe to use "ethical hacking" to test the financial sector's resilience to cyber-attacks. The central bank published a document on May 2 that outlines how regulators can deploy teams of hackers to simulate attacks on banks, payment systems and other financial entities. The document, formally known as the European Framework for Threat Intelligence-based Ethical Red Teaming or TIBER-EU, is designed to support tests that mimic real hackers in terms of technique, tactics and procedures. The framework can be used for any type of financial sector entity, including exchanges and central counterparties.
Although it is up to the relevant entities to determine if and when TIBER-EU tests are performed, some jurisdictions such as the Netherlands and the U.K. have already implemented this type of controlled hacking to test cyber-defenses in the financial sector. The ECB noted that as jurisdictions develop their policies in this area, there is a risk that incompatible frameworks could emerge. The central bank therefore developed this framework to standardize and harmonize these efforts and create a protocol for cross-border collaboration.
In related news, the ECB launched a public consultation on April 10 on the resilience of financial market infrastructures to cyber-attacks. The consultation puts forward a set of "expectations" that will guide regulators in the euro area as they determine the level of resilience at each FMI. The expectations also are intended to provide FMIs with concrete suggestions to enhance their cyber resilience.
