Technology is a key element allowing financial institutions and market infrastructures to offer their services in a reliable and safe way, aligned with their strategy and business model. Therefore, it is paramount that institutions reduce their vulnerabilities and have an effective and mature cyber security control environment. However, this task will be successful as far as institutions are capable to face a real cyberattack.
In that sense, Threat Led Penetration Testing (TLPT) aim to anticipate, to the extent possible, the impact that a real cyberattack could have on an institution. In order to do so, this type of advanced cyber security tests simulate a cyberattack using Tactics, Techniques and Procedures that a sophisticated attacker could use. Hence, this tests constitute a powerful tool to improve financial sector’s cyber resilience.
The Executive Commission of the Banco de España approved the adoption of the TLTP framework published by the ECB (TIBER-EU) for the Spanish financial sector.
The national framework will be called “TIBER-ES” and aims to strengthen the cyber resilience of financial institutions operating in Spain. For this reason, the Bank of Spain is the authority taking ownership of the national framework, in close cooperation with the CNMV (National Securities Market Commission) and the DGSFP (Directorate General of Insurance and Pension Funds).
TIBER-ES complies with the principles of TIBER-EU, thereby ensuring that tests conducted under the local framework will be recognised by authorities in other jurisdictions which have also adopted TIBER-EU locally. To this end, it observes, inter alia, requirements for the test to be conducted on production environments and executed by external third-party providers.
TIBER-ES implementation guide
The implementation guide is part of the TIBER-ES framework and has been developed by the TIBER Cyber Team (TCT) led by the Banco de España, in close cooperation with the CNMV and the DGSFP.
The purpose of the document is to specify the conditions for the execution of TLPT tests under TIBER-ES framework. Those TIBER-EU’s basic principles and concepts deemed fundamental are detailed in the document and therefore tests must comply with them. Apart from those requirements, the document is intended to be a guide and not a prescriptive inventory of activities.
Other relevant documents and templates
The implementation guide must be read along with the TIBER-EU framework and its accompanying documents published by the ECB, inter alia, the TIBER-EU Services Procurement Guidelines and the TIBER-EU White Team Guidance. All references to documents and templates published by the ECB included in the implementation guide can be found in the TIBER-EU web page:
How to express interest about the framework
Even though any financial institution or market infrastructure operating in Spain, voluntarily, may decide to undergo a TIBER-ES test, the sophistication of these tests makes them advisable only for institutions that have achieved a certain level of maturity in cyber resilience.
The TCT will consider these circumstances to accept or deny test requests. In any case, TIBER-ES seeks to act as an effective catalyst for the improvement of cyber security capabilities of all institutions to a level where they will be ready to undergo this type of tests.
Financial institutions or market infrastructures may contact for clarification or express their interest in taking a test under TIBER-ES framework by using the mailbox email@example.com .