Danmarks Nationalbank is working to increase its resilience to cyberattacks, both in the financial sector and in relation to its own critical systems. The cross-sectoral work is done by the FSOR – Financial Sector forum for Operational Resilience – among others, while Danmarks Nationalbank itself is the authority for the TIBER-DK programme and conducts surveys of cyber resilience in the financial sector.
Cyber resilience collaboration
In 2016, Danmarks Nationalbank and the financial sector established a public-private collaboration forum called the Financial Sector forum for Operational Resilience, FSOR. The collabo-ration is voluntary, yet binding. The purpose is to increase operational resilience across the financial sector, including resilience to cyberattacks. The FSOR participants are the key finan-cial institutions, Nordic Financial CERT, industry organisations and authorities, including the Centre for Cyber Security. Danmarks Nationalbank act as chair and secretariat for the collaboration.
Danmarks Nationalbank and the FSOR have conducted a risk analysis identifying the greatest risks to the financial sector. Twice a year, the FSOR discusses the identified risks and whether joint measures could be implemented to minimise the risks. This includes a crisis management plan at sector level, tasked with cross-sector coordination in the event of a systemic crisis.
In addition to its collaboration with the most important players in the Danish financial sector, Danmarks Nationalbank is also working as an authority to increase cyber resilience. Danmarks Nationalbank oversees the safety and efficiency of the systemically important payment and settlement systems and the most important payment solutions.
TIBER-DK – a red team test of cyber resilience in the financial sector
Danmarks Nationalbank and the financial sector have joined forces to establish a red team test programme, TIBER-DK. Its purpose is to strengthen the cyber resilience of each test participant and of the financial sector in general in order to promote financial stability in Denmark.
TIBER stands for Threat Intelligence-Based Ethical Red-teaming in a framework developed by the European Central Bank. TIBER-EU is the term for the pan-European framework, while TIBER-DK refers to the Danish national implementation. TIBER-DK was introduced in December 2018, and the first tests started in January 2019.
How a TIBER test works
In brief, TIBER-DK concerns learning more about how the individual organisations protect their societally critical functions against cyberattacks.
In a TIBER test, the participants are to identify, prevent and respond to attacks by ethical hackers to protect their critical systems and prevent the attacks from causing damage. This type of test is called a red team test, referring to the division of the parties involved. The ‘red team’ is the ethical hackers who will try to attack one or more systems in an organisation. The ‘white team is a small group of people within the tested organisation, whom are aware of the test and responsible for the planning and coordination of the test, while the ‘blue team’, consists of those of the organisation’s employees, that should stop the attacks and prevent damage. The blue team is unaware that the test is taking place. See more in the figure below.
The tests take place in live systems, i.e. the systems that are used directly in everyday life. The purpose is to test whether and how hackers can harm activities critical to society, and to gain knowledge and insight from this.
The ethical hacker attacks are based on concrete threats, meaning that the tests simulate real tactics, techniques and procedures from active hacker groups. In order to keep track of and identify these actors and their methods, an annual generic threat landscape report is prepared for the TIBER tests. This report is prepared by the Nordic Financial CERT involving relevant parties.
Danmarks Nationalbank is the Lead Authority for TIBER-DK and plays a coordinating role supporting the implementation of the test process in the organisations.
Danmarks Nationalbank was among the first central banks in Europe to carry out TIBER tests.
Distribution of roles in a TIBER test
Survey of cyber resilience in the financial sector
Danmarks Nationalbank conducts questionnaire surveys to examine the cyber resilience of key players in the financial sector. The surveys have been carried out since 2016 and include the large banks and mortgage credit institutions as well as key infrastructure companies in the FSOR.
In the surveys, participants self-evaluate their current level of cyber resilience, and the aggregate responses provide a snapshot of the overall level in the sector. The key messages from the latest survey are outlined below.
Cyber resilience in the Danish financial sector 2020
The survey points to sustained and significant progress compared to the previous surveys, but there is still room for improvement. The requirements are continuously tightened as a result of the development in the threat landscape in the cyber area. For the first time, the survey also covers the cyber resilience of operational members’ suppliers.
Cyberattacks can threaten financial stability
Cyberattacks can have consequences that go beyond the specific system under attack. There is a risk that potential hackers can exploit access to one system to gain access to the next. But the mere fact that one system is taken out of service can affect the operation of other systems, as many systems are interdependent. Accordingly, cyberattacks constitute a systemic risk and can pose a threat to financial stability.
Cyber risk has been described several times in the analysis series ‘Financial stability’, which Danmarks Nationalbank publishes twice a year. You can see excerpts of and download the analyses below.