Regulators and financial institutions and entities deepen the impact and dimension of the TIBER-EU project, the framework launched by the ECB to strengthen the financial institutions cybersecurity. And also the future DORA regulation, promoted by the European Parliament on cyber resilience.
The European Central Bank, the Bank of Spain, the National Securities Market Commission (CNMV), and all the Spanish banks have today delved into the scope and impact of TIBER and DORA, the major innovations promoted in the field of cybersecurity for the financial sector.
On the one hand, TIBER-EU, the framework initially planned by the European Central Bank (ECB) and which has subsequently given rise to TIBER-ES with the help of the Bank of Spain, to strengthen the cybersecurity structures of financial institutions in the face of the growing number of cyber-attacks they endure every day. On the other hand, the DORA (Digital Operational Resilience Act) regulation is the initiative planned by the European Parliament to improve the cyber resilience of financial institutions.
Regulators and financial institutions flocked to the conference on TIBER and DORA organized by Tarlogic Security. The cybersecurity company has convened a high-level event in the capital of Spain to analyze what is already, in their own right, the largest cybersecurity initiative launched by the EU authorities in their entire history.
The meeting convened by Tarlogic was attended by managers of the European Central Bank, the Bank of Spain, the CNMV, and the Directorate General of Insurance and Pension Funds, as well as executives from all Spanish financial institutions.
During the course of the day, experts from different fields focused on the approaches of the TIBER framework and the DORA regulation, both in terms of their potential and the demands they pose for the future.
Bank of Spain managers participated in one of the presentations of the day, specifically the one related to the TIBER framework and the DORA regulation. A European Parliament initiative aimed at transforming the response capacity of financial institutions in the face of digital risk.
DORA is set to facilitate a common regulatory framework for all financial institutions operating in Europe in the field of cyber resilience. In short, a way to regulate the way in which companies manage the growing digital risks.
Cyber-attacks, a growing risk
The data, in this regard, is very revealing. Over the past few years, countless banks and financial regulators have been victims of cyber-attacks.
This regulatory environment is going to find a very powerful ally in the other central issue of the day convened today by Tarlogic Security: the Red Team exercises based on threat intelligence, also known as TIBER.
These exercises are the strategic pillar of the TIBER-EU project promoted by the European Central Bank. Exercises aimed at detecting cybersecurity weaknesses as a means of remedying them and thus strengthening the defense structures of institutions whose stability for the system is essential.
Tarlogic Security decided a few months ago to take the initiative in this area in view of its deep expertise in cybersecurity in the financial sector. This accumulated knowledge largely explains the decision to convene this high-level conference.
Company managers and professionals explained the singularities of the DORA regulation and the TIBER framework, as well as the added value of the exercises they have designed for the banking sector, which already follow the concepts established by both Brussels and Madrid.
Cyber Intelligence and Red Team, the strategic alliance
Basically, the TIBER framework proposes a harmonized approach combining Cyber Intelligence techniques with those of Red Team services.
Which is the goal? Well, to analyze threat scenarios independently of both the financial institution and the Red Team provider, i.e. by targeting the design of exercises based on the threats identified by a Cyber Intelligence provider.
In this context, the scenarios will be initially proposed by the Cyber Intelligence professionals, so that the Red Team team can then simulate sophisticated cyber-attacks on banks, stock exchanges, and financial institutions in general.
The Bank of Spain published a few days ago a TIBER-ES Implementation Guide that establishes a sort of roadmap. And which subscribes to the fundamentals of the program proposed by the ECB. In a way, the European regulator intends to do today with the cybersecurity of banks what it once did with their financial health by imposing stress tests.
These exercises will be voluntary (there are financial institutions already performing exercises under a TIBER scheme), but in the European cybersecurity community, it is taken for granted that, sooner or later, they will be mandatory for the European financial system.
Why? Mainly because the world’s monetary authorities (from the IMF to the ECB to the Fed) fear that a major cyber incident involving the financial system could trigger a systemic crisis.
Today, in Madrid, Tarlogic Security, the ECB, the Bank of Spain, and Spanish financial institutions worked to lay the groundwork for this scenario to remain in the realm of the hypothetical.
If you want to know more about the TIBER-EU project, see the following articles: