The Malta Financial Services Authority (MFSA) has released a public consultation regarding the adoption of the Threat Intelligence-Based Ethical Red-Teaming (TIBER-EU) framework, noting the links between the requirements set out under TIBER-EU and the requirements applicable to the newly enforceable Digital Operational Resilience Act (DORA).  

TIBER-EU was the first EU-wide guideline, issued in 2018, on how authorities, critical entities (including financial) and threat intelligence/red-team providers should operate and test on cyber security using controlled cyberattacks. It is a common framework that delivers a controlled, bespoke, intelligence-led red team test of entities’ critical live production systems. These tests mimic the tactics, techniques and procedures (TTPs) of real-life threat actors who, on the basis of threat intelligence, are perceived as posing a genuine threat to entities. The test involves the use of a variety of techniques to simulate an attack on an entity’s critical functions and underlying systems (i.e. its people, processes and technologies). It helps an entity to assess its protection, detection and response capabilities. The test does not result in a pass or fail but is intended to enable the entity to learn and evolve to a higher level of cyber maturity.

Financial entities in scope of the TIBER-EU framework are payment systems, central securities depositories, central counterparty clearing houses, trade repositories, credit rating agencies, stock exchanges, securities settlement platforms, banks, payment institutions, insurance companies, asset management companies and any other service providers deemed critical for the functioning of the financial sector.

TIBER-EU introduced five different teams with specialised roles:

1. Blue Team – Entity subject to the test
2. Threat Intelligence Provider – the company analysing the possible threats through investigation
3. Red Team – the company carrying out the simulated attack
4. White Team – the ones who know that the test will happen and cooperate with the TIBER cyber team
5. TIBER Cyber Team – the authority responsible to oversee the test

Within DORA’s aim to increase digital operational resilience, new requirements oblige certain financial entities to conduct advanced testing based on threat-led penetration testing (TLPT), thus requiring all EU member states to follow the TIBER-EU framework.  Specifically, DORA requires authorities to identify financial entities subject to the obligation to perform TLPT.

To help authorities identify the applicable financial entities, DORA specifies that financial entities may only use testers for the carrying out of TLPT which:

1. Possess the highest suitability and reputability
2. Possess technical and organisational capability, with expertise in threat intelligence, penetration testing and red-team testing
3. Possess certification from an accredited body or adhere to formal code of conduct/ethics framework
4. Provide independent assurance (or audit reports) relating to sound management of risks associated with carrying out TLPT
5. Possess full professional indemnity insurance

The consultation aims to obtain the stakeholders’ opinions before the implementation of the TIBER-EU framework by determining:

1. Whether financial entities believe they should fall within the scope of advanced testing based on TLPT as provided by DORA and/or the TIBER-EU framework every 3 years;
2. The level of experience of organisations in the field of Threat-Led Penetration Testing; and
3. Overall data collection on the current testing and opinions on the TLPT.

Interested stakeholders are invited to submit their opinion via email to the MFSA by not later than 6^th April 2023.

For further information and assistance kindly contact Dr Ian Gauci.