Financial sector functions, services and data have long been in digital form. It is crucial for the continued operation of this critical infrastructure to be able to protect them against cyber attacks. Financial sector entities make large investments in the cyber security design, implementation and monitoring of their information systems and services. In addition to these activities, it is also important to verify through testing that external attackers do not have opportunities to influence the operation and integrity of the services. The best way to achieve this is to apply testing methods that emulate how cyber criminals and other advanced threat actors assess the attack surface and execute their attacks.
The European Central Bank (ECB) published the TIBER-EU framework in May 2018. TIBER-EU is a systematic, controlled and up-to-date cyber security threat intelligence-based framework for Red Team security testing. The objective of the framework is to produce observations for improving protection of the financial infrastructure and financial entities against targeted cyber attacks.
TIBER-EU is intended to be applied and adopted nationally. The Bank of Finland owns and is responsible for implementation of TIBER-FI in the Finnish financial sector. The Bank of Finland has released the first TIBER-FI Implementation Guideline in April 2020. It is voluntary for financial sector entities to take the framework into use.
The TIBER-FI framework is compatible with other national TIBER applications. This allows cross-border cooperation in those cases where a financial entity is testing functions under several jurisdictions.
Purpose of the framework
TIBER-FI is a framework created for Finnish financial sector entities. It contains a testing procedure for ensuring that the critical functions of the financial sector are protected against targeted cyber attacks.
At the core of TIBER-FI are cyber security tests targeted at the critical information systems of the entities. Financial entities resource, plan, and organize these tests themselves according to the procedure. The Bank of Finland supports the entities by providing guidance, a financial sector general threat landscape report, and Test Manager support services. Recent cyber security threat intelligence on the financial sector and entities are used in scoping the testing efforts.
The objectives of the TIBER-FI framework are to
- support cyber resilience of financial entities
- improve cyber resilience of the entire financial sector
- advance good Red Team testing practices across the financial sector in Finland, and
- support cross-border testing of multinational entities.
Cyber resilience refers to capabilities to predict, prevent, detect and respond to cyber attacks or to recover from them in a way that the effects on critical functions can be prevented or minimized. By participating in TIBER-FI testing, each entity will test its own cyber security capabilities and uncover ways to improve them in case of attacks. It is important for the resilience of the financial sector that each participating entity has the appropriate level of cyber security capabilities.
TIBER-FI testing is particularly focused on critical financial sector functions. From a societal security point of view, the critical financial sector functions are (Government Decision on the Objectives of Security of Supply 1048/2018):
- the provision of financial and insurance services
- payment transactions
- settlement, delivery and safekeeping of securities
- the cash supply system
- the card payment infrastructure and card verifications
- financial operations of the daily consumer goods retail trade.
TIBER-FI is designed to be compatible with the TIBER-EU framework and guidelines. In cases where the guidelines differ, TIBER-FI guidelines are applied in Finland.
The TIBER-FI framework is created by the Bank of Finland, and the central bank offers services to participating financial entities. The core elements of the framework are
- participating entities and their roles,
- supporting documentation – financial sector general threat landscape report and legal framework,
- procedural principles and phase descriptions.
Financial entities enroll to participate in TIBER-FI on their own discretion. No fee is collected for participation.
Collaboration between authorities
Several European authorities have introduced their own TIBER-EU applications. Collaboration between authorities is necessary in cross-border testing. The Bank of Finland maintains contact with other relevant authorities to ensure that a planned TIBER-FI test planned complies with local TIBER testing requirements.
Lifecycle of this guideline
The Bank of Finland has released the first version of this guideline in April 2020. Financial entities have been consulted during the creation of the guideline and the central bank welcomes all feedback about the practical application of the guideline. The guideline will be updated annually based on feedback and experiences received.
The Bank of Finland will inform entities about updates to the guideline. The latest version of the guideline is available from the central bank’s web site at www.bof.fi/en/tiberfi.