TIBER-DE Threat Intelligence-based Ethical Red Teaming in Germany

Cyber resilience of the financial system

Owing to increasing digitalisation and a high level of interconnectedness, the financial system is particularly vulnerable to cyber risks. At the same time, successful attacks can cause considerable damage which can potentially go far beyond the affected enterprise and sector and thus entail both a systemic effect and serious consequences for the real economy and the general public. It is therefore important for financial enterprises, in particular, to enhance their own resilience to cyber attacks continuously and preventively, and to test it rigorously using modern methods.

TIBER-EU: A framework for threat-led penetration tests

In 2018, the European System of Central Banks adopted TIBER-EU (Threat Intelligence-based Ethical Red Teaming), a framework for threat-led penetration tests. This framework sets rules and minimum standards under which enterprises can have ethical hackers review their cyber resilience. The rationale behind these tests is to reveal vulnerabilities in the firm’s security in order to identify specific needs for improvement and close security gaps. A TIBER-EU test is therefore not a pass-fail test; it is deemed successful if it has been performed correctly. The TIBER-EU framework prescribes mutual recognition of test participation for those member states where it has already been implemented.

TIBER-DE: Implementation in Germany

In summer 2019, the Federal Ministry of Finance (BMF) and the Deutsche Bundesbank resolved to implement the framework in Germany as a service to be provided by the Deutsche Bundesbank, aimed primarily at banks, insurers, financial market infrastructures and their key service providers. Participation in TIBER-DE tests is voluntary: TIBER-DE is not to be construed as a supervisory instrument. The TIBER-DE implementation document ("Implementation of TIBER-DE") was adapted in the fall of 2021 to include the practical experience gained from the first TIBER-DE tests conducted. In version 2.0 of the document, changes were made in particular to further optimize both the test procedure and risk management during test execution. Interested enterprises can find out more about the modalities of the tests on a non-binding basis.