Good Practice Guide

Fostering Financial Sector

Cyber Resilience in
Developing Countries
March 2023

Government
Fostering Financial Sector Cyber
Resilience in Developing Countries
Contents

Threat Intelligence & Red Team

In-Focus: Different Service Providers: Trust & Assurance
Executive Summary Forms of Testing 4.1 T
 hreat Intelligence Service Providers

Introduction 2.0 4.0

1.0 3.0 5.0

Cyber Resilience Threat Led Penetration Testing / Considerations for Authorities

and Cyber Maturity Intelligence Led Penetration Testing 5.1 T
 hreat Intelligence Penetration
Testing: Some Practical
1.1 Inherent Cyber Risk 3.1 Historical and Geographical Contexts
Considerations for Authorities
1.2 Assessing Cyber Maturity of Threat-Led Penetration Testing
3.2 Common Elements of Threat-Led
Penetration Testing Frameworks
3.3 The Different Phases in a Threat-Led
Penetration Testing

2 Fostering Financial Sector Cyber Resilience in Developing Countries - The Way Towards Threat Penetration Testing Good Practice Guide
Executive Summary

Ongoing digitalisation in the financial sector in recent years has seen considerable take-up of financial inclusion - embarking less-
privileged people into the financial system and giving them access to credit, savings and payment services.

However, recent studies show cyber resilience They have basic cyber risk controls in place (also
of financial entities in developing countries is called basic “cyber hygiene”) and implemented
often relatively low, leaving them and their clients relatively sophisticated risk mitigation measures
considerably exposed to cyber risks. Therefore, in risk management domains such as governance,
authorities in developing countries have stepped identification, protection, detection and recovery.
up their efforts to improve financial sector cyber
Less cyber mature entities should limit themselves
resilience. One common element being considered
to vulnerability assessments, penetration tests and
in the respective cyber resilience strategies
scenario-based tests first, before undertaking this
is testing - more specifically, Threat Led
higher form of testing.
Penetration Testing.
Threat Led Penetration Testing (TLPT, or
Intelligence-Led Red Team testing) is a controlled
attempt to compromise the cyber resilience of an “One common element
entity by simulating the behaviour (i.e. the tactics,
techniques and procedures) of real-life threat being considered in the
actors, by making use of ethical hackers and
targeted threat intelligence collected for respective cyber resilience
this purpose. strategies is testing - more
TLPT is especially suited for entities that play a key
role in the financial system and/or real economy specifically, Threat Led
and should only be applied to financial entities Penetration Testing."
which are ready for it. These are entities which are
relatively “cyber mature”.

3 Fostering Financial Sector Cyber Resilience in Developing Countries - The Way Towards Threat Penetration Testing Good Practice Guide
Executive Summary

Threat Led Penetration Tests harbour elements quality assurance for the global cyber security Next to that, threat led penetration testing is about
of risk, owing to the criticality of the target industry. By taking a collaborative approach and learning and evolving; it is not meant to be a one-
systems, people and processes involved in expressing the expectation that threat intelligence off exercise.
the test, highlighting the need for active and and Red Team service providers have CREST
The paper concludes that if authorities - after
robust risk management. One element of such accreditation and cyber security professionals
careful consideration - pursue a Threat Led
risk management is the quality of the Threat have CREST certification, a financial authority
Penetration Testing programme, it will not only
Intelligence and Red Team service providers and can contribute to a more mature market for cyber
facilitate the improvement of cyber resilience of its
their respective personnel. security services in its respective jurisdiction,
most critical financial entities, it will also contribute
benefiting all.
So, a careful selection process is crucially to the maturing of the local market for cyber
important to the success of a TLPT test and for Executing a TLPT programme is a long-lasting security services, benefiting other non-critical
continuity of the respective financial entity. endeavour. Not only because the threat intelligence companies and society at large as well.
led Red Team tests on the eligible financial entities
An independent, not-for-profit accreditation and For the sake of common interest, achieving
take time, but also the capacity constraints at
certification initiative - like CREST - can help this objective requires close and constructive
the authority in charge and the limited number of
financial entities and authorities alike in ensuring collaboration between all parties, private
qualified threat intelligence and Red Team service
this much-needed high quality. and public.
providers mean few tests can take place at the
CREST builds trust in the digital world by raising same moment.
professional standards and delivering measurable

"An independent, not-for-profit accreditation and certification initiative - like CREST - can help
financial entities and authorities alike in ensuring this much-needed high quality. CREST builds trust in the
digital world by raising professional standards and delivering measurable quality assurance for the
global cyber security industry."

4 Fostering Financial Sector Cyber Resilience in Developing Countries - The Way Towards Threat Penetration Testing Good Practice Guide
Introduction

February 2016 was a watershed moment in thinking about cyber security and cyber resilience. Although on the agenda for years, the
partly successful cyber heist on the Central Bank of Bangladesh made financial institutions and financial authorities realise that efforts
to prepare for, and to protect from, cyber-attacks needed to be stepped up considerably.

Global developments since 2016 have further “Between 2017 and 2021 alone, the average rate considerably exposed.4 Central banks and financial
underscored the need to improve the cyber of account ownership in developing economies authorities have an important task in increasing
resilience level of financial entities - and the whole increased by another 8 percentage points, from the level of their financial sector’s cyber resilience.
financial sector. Large-scale rapid digitalisation of 63 percent of adults to 71 percent of adults, Since 2016, many authorities have developed
financial products and services and supply chain increasing the number of banked adults with and implemented cyber resilience strategies,
extension by increasing use of third-party entities, many millions.”1 including operational guidelines and cyber resilience
combined with geopolitical tensions, have provided expectations focusing on individual entities; others -
even more opportunities and motivations for By 2030, two billion new users will store money especially in developing countries - are stepping up.
individual hackers, malicious insiders, organised and make payments on their phones. Many
crime groups and nation-states alike. financial inclusion efforts rely on leapfrogging to
digital financial services - and are changing the
While this applies to all countries, developing level and type of interdependencies of the financial "By 2030, two billion new users
countries have an additional element. Ongoing system and tech companies.2
digitalisation in the financial sector has provided
will store money and make
the opportunity for considerable improvements While this is clearly a success, it also has exposed payments on their phones."
regarding financial inclusion, i.e. embarking less- the formerly unbanked to cyber risk. Any theft of
privileged people into the financial system and their digital savings, malicious alteration of their
giving them access to credit, savings and data, or obstruction of the financial infrastructure 1
The Global Findex Database 2021 (World Bank Group, 2022)
payment services. in general, can affect the less-privileged hardest, 2
FinCyber Strategy Project: Cybersecurity and Financial Inclusion (Carnegie
directly endangering their businesses, families and Endowment for International Peace).
3
Financial inclusion is a top priority among the possibly even their lives. However, recent studies See for example the results of the CMAGE Project, funded by the Bill and
Melinda Gates Foundation.
international community since the G20 recognised show the level of cyber resilience of financial 4
See Cyber Threats to the Financial Sector in Africa. (World Bank & SecAlliance
it as one of the main pillars of the global entities in developing countries is often March 2022) for an intelligence-led analysis of the current threat landscape for
development agenda in 2010. relatively low,3 leaving them and their clients the financial-service sector across Africa.

5 Fostering Financial Sector Cyber Resilience in Developing Countries - The Way Towards Threat Penetration Testing Good Practice Guide
Introduction

One common element being considered in cyber

resilience strategies is Threat Led Penetration
Testing. This paper describes in relatively general
terms what Threat Led Penetration Testing is, what
different frameworks exist and what these have
in common.

More importantly, this paper clarifies that Threat

Led Penetration Testing is to be applied only to
relatively “cyber mature” financial entities.

So, we ask why that is - and how to define cyber

maturity. What steps can be taken to achieve the
appropriate level of cyber maturity?

To answer these questions, this paper interprets,

relies upon and refers to documents and policies
from several financial authorities.

"One common element being

considered in cyber resilience
strategies is Threat Led
Penetration Testing."

6 Fostering Financial Sector Cyber Resilience in Developing Countries - The Way Towards Threat Penetration Testing Good Practice Guide
 Cyber Resilience and
Cyber Maturity
1.0
1.1 Inherent Cyber Risk
1.2 A
 ssessing Cyber Maturity
› 1.2.1 E
 nsuring basic cyber hygiene being
implemented
› 1.2.2 Aspiring to the next level of cyber
maturity

7 Good Practice Guide

 1.0 Cyber Resilience and
Cyber Maturity
1.1 Inherent Cyber Risk

Cyber resilience is an organisation’s ability to carry out its mission by anticipating and adapting to cyber threats and other relevant
changes in the environment, and by withstanding, containing and rapidly recovering from cyber incidents.5

An organisation with a relatively high level of cyber These include: Whether FinTech challenger banks and mobile
resilience capabilities is generally understood as payment service providers in developing countries
relatively “mature”. fall into the category of medium or high inherent
• Technology being used cyber risk, depends on the assessment.
Before defining what “cyber maturity” entails, you • Delivery channels in use
could say the more an organisation is exposed to These new actors - which often offer fully digital
• Products and technology services offered
cyber risk (its inherent cyber risk level), the more financial services, mostly via mobile channels -
cyber mature this organisation needs to be to • Business size have contributed considerably to improvement in
ensure its continuity.6 • Organisational characteristics, and financial inclusion.
• The entities’ track record of cyber threats.
Generally speaking, a fully paper- and trust-based However, any issues regarding their confidentiality,
local micro-lending scheme will have a integrity or availability have the potential to directly
low inherent cyber risk level, if at all. endanger their client’s businesses, families and
Financial entities of systemic importance for the possibly even their lives.
An established financial entity using highly
financial system7 automatically fall under the high
complex digital technologies to deliver a myriad
inherent risk category, as in the event of their 5
of products and services across multiple delivery FSB Cyber Lexicon - November 2018.
distress or failure, they could cause significant 6
channels will understandably have a high inherent  he concept of inherent risk assessment referred to in this chapter is an
T
disruption to the financial system and the important element of the Cyber Resilience Assessment Framework (C-RAF) of
cyber risk level.
broader economy. The Hong Kong Monetary Authority (HKMA).
7
In general this could include: payment systems, central securities depositories,
To define which inherent cyber risk category a central counterparty clearing house, trade repositories, credit rating agencies,
These financial entities should have the highest stock exchanges, securities settlement platforms, banks, payment institutions,
financial entity would fall into (low, medium or
level of cyber maturity, and if they don’t have it insurance companies, asset management companies, and any other
high), the business and operational aspects of incumbent and new service providers deemed critical for the functioning
yet, they should strive for it. of the financial sector.
a financial entity need to be taken into account.

8 Fostering Financial Sector Cyber Resilience in Developing Countries - The Way Towards Threat Penetration Testing Good Practice Guide
 1.0 Cyber Resilience and
Cyber Maturity
1.2 Assessing Cyber Maturity

To help organisations enhance their cyber resilience, standard setting initiatives have issued international standards and frameworks for
IT Security controls, including:8

The novelty of both C-RAF and CROE is that 8

For further detail see: NIST Cybersecurity Framework, ISO/IEC 27002,
• The NIST Cybersecurity Framework these two frameworks distinguish three levels of ISACA's COBIT 5 framework, the information security forums Standard of
Good Practise for Information Security, and the Federal Financial Institutions
• ISO/IEC 27002:2022 standard on cyber maturity, i.e. baseline/evolving, intermediate/ Examinations Council's (FFIEC) Cybersecurity Assessment Tool.
Information security, cybersecurity and advancing and advanced/innovating. 9
 -RAF is part of the HKMA’s Cybersecurity Fortification Initiative (originally
C
privacy protection launched in 2016 and updated in 2020), which is underpinned by three pillars:
the Cyber Resilience Assessment Framework (C-RAF), the Professional
While C-RAF is more geared towards banks,
• ISACA’s COBIT 5 Development Programme (PDP), and the Cyber Intelligence Sharing Platform
the CROE is drafted with financial market (CISP).
• The Information Security Forum’s Standard infrastructures in mind. Nevertheless, both 10 
The Financial Inclusion Global Initiative (FIGI) is a three-year program
of Good Practice for Information Security frameworks draw on the same principles and are
implemented in partnership by the World Bank Group (WBG), the Committee
on Payments and Market Infrastructure (CPMI), and the International
• The Federal Financial Institutions to a certain level entity agnostic. They could be Telecommunications Union (ITU) funded by the Bill & Melinda Gates
Foundation to support and accelerate implementation of country-led reform
Examination Council’s (FFIEC) used by any financial entity and its respective actions to meet national financial inclusion targets, and ultimately the global
Cybersecurity Assessment Tool. authority to establish the current and expected ‘Universal Financial Access 2020’ goal.

level of cyber maturity.

Based on these standards and frameworks,

financial authorities have developed their own
guidance, guidelines and expectations specifically
aimed at financial entities.

Two good examples of frameworks include the

Hong Kong Monetary Authority’s Cyber Resilience
Assessment Framework (C-RAF)9 and the Cyber
Resilience Oversight Expectations (CROE)
developed by the European Central Bank
and adopted by the World Bank under the
Financial Inclusion Global Initiative.10

9 Fostering Financial Sector Cyber Resilience in Developing Countries - The Way Towards Threat Penetration Testing Good Practice Guide
 1.0 Cyber Resilience and
Cyber Maturity
1.2 Assessing Cyber Maturity

As the audience of this paper are authorities and

financial entities from developing and emerging
iii Innovating level. In addition to meeting
1.2.1 Ensuring Basic Cyber
economies, the Cyber Resilience Oversight
Evolving and Advancing levels, capabilities Hygiene Implemented
Expectations (CROE) - as adopted by the World
across the financial entity are enhanced
Bank - are used as reference from now on.11
as needed in the midst of the rapidly
Three levels of Cyber Maturity: evolving cyber threat landscape, in order Before engaging in any programme to improve
to strengthen the cyber resilience of the the level of cyber maturity of a respective financial
financial entity and its ecosystem by pro- entity, the first step is to ensure basic steps and
actively collaborating with its external measures have been taken to deliver a minimal
stakeholders. The innovating level entails level of protection against threat actors. While the
i Evolving level. Essential capabilities are driving innovation in people, process and classification “evolving” is referred to as the lowest
established and evolve, and are sustained technology for the financial entity and wider level of cyber maturity in the CROE,12 even this
across the financial entity, to identify, ecosystem to manage cyber risks and classification implies several steps and measures
mitigate and manage cyber risks in enhance cyber resilience. This may entail have already been taken before even reaching
alignment with the Board-approved cyber developing new controls, new tools, or that level.
resilience strategy and framework, and creating new information sharing groups. To put it differently, basic cyber hygiene needs to
performance of practices is monitored be in place for any organisation having
and managed. a digital presence. Supervisors and overseers are
Source: Cyber Resilience for Financial Market Infrastructures.
ii Advancing level. In addition to meeting the often confronted with financial entities which do
(Page 9, World Bank / ECB Nov 2019)
Evolving level, practices incorporate more not even have their basic cyber hygiene in order.
advanced implementations (e.g.: advanced This is confirmed by research executed in the
technology and risk management tools) that context of the CMAGE project.13
are integrated across the financial entities
business lines and have been improved over
time to pro-actively manage cyber risks to 11
 yber Resilience Oversight Expectations (ECB, December 2018) and Cyber Resilience for Financial Market Infrastructures (FIGI - World Bank, International
C
Telecommunication Union, Gates Foundation and CPMI, November 2019).
the financial entity. 12 
C-RAF refers to the lowest level as “baseline”.
13
 he CMAGE project provides insight in a country’s cyber posture. This includes a country’s banking sector, which is rated on a cyber maturity scale from 1 (low) to
T
5 (high) based on four indicators which capture the basic cyber controls: infrastructure vulnerability risk, architecture & access risk, email authentication risk, and
information leakage risk. These four indicators relate to the primary risk management domain “protection” (see paragraph 1.2.2 of this chapter).

10 Fostering Financial Sector Cyber Resilience in Developing Countries - The Way Towards Threat Penetration Testing Good Practice Guide
 1.0 Cyber Resilience and
Cyber Maturity
1.2 Assessing Cyber Maturity

Passive reconnaissance of the external (internet Assuming a financial entity has successfully To achieve resilience objectives, investments
facing) digital parameters of many financial implemented the basic cyber risks controls across these domains can be mutually reinforcing
service providers14 in several African and Asian mentioned above, it can embark on the process and should be jointly considered.16 An entity’s
countries reveals that often controls (such as of assessing the current level of its cyber maturity relative maturity in all these domains defines
boundary firewalls and internet gateways, malware and of defining - together with the relevant whether it is ready to engage in regulatory-driven
protection, patch management, allow listing and supervisory authority - the aspired and/or Threat Led Penetration Testing exercises.
execution control, secure configuration, password expected level.
To achieve resilience objectives, investments
policy and user access control, for example) are
Authorities (supervisors and overseers) across these domains can be mutually reinforcing
not properly implemented.15
measure the level of an entity’s cyber resilience and should be jointly considered.17 An entity’s
The consequences of bad basic cyber hygiene (its so-called “cyber maturity”) along five relative maturity in all these domains defines
can be dire, and include: primary risk management domains: whether it is ready to engage in regulatory-driven
Threat Led Penetration Testing exercises.

• Breached credentials • Governance

• Phishing • Identification 14 E.g. retail and wholesale banks, sharia banks, micro-finance institutions, etc.

• CEO fraud • Protection 15 T

 hese seven basic cyber controls are taken as an example for this paper and
form part of the Cyber Essentials, as defined by the UK government.
• Open ports • Detection
16 T
 hese five primary risk management domains and three additional
• Unpatched software, and • Response & recovery. overarching domains have found their way into the EU’s Digital Operation
Resilience Act (DORA). DORA sets uniform requirements for the security
• Expired certificates. of network and information systems of companies and organisations
operating in the financial sector as well as critical third parties which provide
And three additional overarching domains: ICT-related services to them, such as cloud platforms or data analytics
services. DORA creates a regulatory framework on digital operational
For example, resulting in the breach of resilience whereby all firms need to make sure they can withstand, respond
to and recover from all types of ICT-related disruptions and threats. These
confidentiality, integrity and/or availability requirements are homogeneous across all EU member states. The core aim
of data and systems. • Testing is to prevent and mitigate cyber threats.

• Situational awareness 17 G
 uidance on cyber resilience for financial market infrastructures (CPMI-
IOSCO, June 2016).
1.2.2 Aspiring to the Next Level • Learning & evolving.

of Cyber Maturity

11 Fostering Financial Sector Cyber Resilience in Developing Countries - The Way Towards Threat Penetration Testing Good Practice Guide
 1.0 Cyber Resilience and
Cyber Maturity
1.2 Assessing Cyber Maturity

LEA
RNING
AND EVOLV
ING of the topic into the wider strategy of the financial Identification
entity and without clearly defining the roles and
UAT
IONAL AWARENE
SS Given a financial entity’s operational failure can
SIT
responsibilities of management up to the level of
TESTING negatively impact its clients and even financial
the executive board. Effective cyber governance
stability, it is crucial that such entities identify
starts with a clear and comprehensive cyber
which operations and supporting information
RY
IDE
NT resilience strategy and a more detailed framework
VE
IF
assets should be protected against compromise.
SIT
SS
ING

LEA that prioritizes the security and efficiency of the

IC
CO
IONAL AWARENE

UAT
AND EVOLV

AT

RNING
RE

ION

entity’s operations. This must be done in order of priority, as 100%

IONAL AWARENE
TESTING
TESTING

protection against cyber threats is not possible.

AND EVOLV

GOVERNANCE

The framework should define how the entity’s

RNING

DE

The ability of an entity to understand its internal

ON

cyber resilience objectives are determined, and

UAT

TE

TI

TI
LEA

E
ING
C
C

ON
SIT

OT
situation and external dependencies is key to
SS

PR
outline its people, processes and technology
requirements for managing cyber risks, including ensuring effective response to potential
T E S TIN G effectively responding to, and recovering from, cyber threats.
SIT
UAT
IONAL AWARENE
SS cyber attacks. This requires a financial entity to understand its
LEA
RNING
AND EVOLV
ING It is essential the framework is supported by information assets and processes, procedures,
clearly defined roles and responsibilities of the systems and all dependencies (including on third-
Board and its management, and it is incumbent party providers) to strengthen its overall cyber
Figure1: Guidance on cyber resilience for financial market infrastructures (CPMI-
IOSCO, June 2016) upon its Board and management to create a resilience posture.
culture which recognizes that staff at all levels
The below summarises the key elements of the have important responsibilities in ensuring the 18 Based on Cyber Resilience for Financial Market Infrastructures (FIGI - World

respective domains.18 entity’s cyber resilience. Strong cyber governance

Bank, International Telecommunication Union, Gates Foundation and CPMI,
November 2019).
is essential to an entity’s implementation of a
Governance
systematic, proactive approach to managing any
Cyber governance refers to arrangements an entity prevailing and emerging cyber threats it faces.
has in place to establish, implement and review its
It also supports efforts to appropriately consider
approach to managing cyber risks.
and manage cyber risks at all levels within
Too often, cyber resilience has been delegated to the organization and to provide appropriate
the IT department, without a proper embedding resources and expertise to deal with these risks.

12 Fostering Financial Sector Cyber Resilience in Developing Countries - The Way Towards Threat Penetration Testing Good Practice Guide
 1.0 Cyber Resilience and
Cyber Maturity
1.2 Assessing Cyber Maturity

Protection access to confidential data or ex-filtration of such effectiveness. This includes the extent to which
data. Given the stealthy and sophisticated nature the framework is implemented correctly, operating
Cyber resilience depends on effective security
of cyber attacks and the multiple entry points as intended and producing desired outcomes.
controls and system and process design that
through which a compromise could Understanding the effectiveness of the cyber
protect the confidentiality, integrity and availability
take place, a financial entity should maintain resilience framework in the financial entity and its
of a financial entity’s assets and services. These
effective capabilities to extensively monitor for environment is essential in determining the residual
measures should be proportionate to an entity’s
anomalous activities. cyber risk to operations, assets and ecosystem.
threat landscape and systemic role in the financial
system, and consistent with its risk tolerance. Sound testing regimes produce findings that can
Response and Recovery then be used to identify gaps in stated resilience
Financial entities should implement appropriate
objectives and provide credible and meaningful
and effective measures in line with leading cyber The ability of a financial entity to fulfil its inputs to the financial entity’s cyber
resilience and cybersecurity practices to prevent, obligations towards its clients and counterparts is risk management process.
limit or contain the impact of a potential cyber crucial for its business continuity and - therefore -
event. The seven basic cyber controls mentioned for financial stability. Analysis of test results provides direction on
earlier (“the basic cyber hygiene”) fall mostly within how to correct weaknesses or deficiencies in the
It should be able to resume critical operations cyber resilience posture and reduce or eliminate
this domain.
rapidly, safely and with accurate data, to mitigate identified gaps.
the potentially systemic risks of failure to meet
Detection such obligations when participants are expecting Testing involves a range of activities starting at the
it to meet them. Continuity planning is essential for level of rather basic vulnerability assessments, via
A financial entity’s ability to recognise signs of a penetration tests and scenario-based tests, up to
meeting related objectives.
potential cyber incident, or detect that an actual high-end tests using external Red Teams guided
breach has taken place, is essential to strong by externally provided threat intelligence.19
cyber resilience. Testing
Early detection provides useful lead time to mount Testing is an integral component of any cyber 19 These tests are called Threat Led Penetration Tests (TLPT) or Intelligence Led
appropriate countermeasures against a potential resilience framework, i.e. any structured plan Red Teaming (ILRT) and driven by regulatory frameworks, including TIBER-
EU (EU), CBEST (UK) or iCAST (Hong Kong).
breach. It also allows for proactive containment to address the above-mentioned five risk
of actual breaches. Early containment could management domains. All elements of a cyber
effectively mitigate the impact of the attack - for resilience framework should be regularly and
example, by preventing an intruder from gaining rigorously tested to determine their overall

13 Fostering Financial Sector Cyber Resilience in Developing Countries - The Way Towards Threat Penetration Testing Good Practice Guide
 1.0 Cyber Resilience and
Cyber Maturity
1.2 Assessing Cyber Maturity

Situational awareness To achieve situational awareness, there needs A culture of cyber risk awareness should be
to be active participation in information and instilled, whereby its resilience posture, at every
Situational awareness refers to a financial entity’s
intelligence-sharing initiatives and collaboration level, is regularly and frequently re-evaluated.
understanding of the cyber threat environment,
with trusted stakeholders in and outside
the business implications of being in that For each of the eight above-mentioned categories,
the industry.20
environment, and the adequacy of its cyber more detailed expectations have been spelled out
risk mitigation measures. on the basis of which the financial entity and its
Learning and Evolving supervisor could assess the current level of cyber
Strong situational awareness, acquired through
maturity of that entity and define its expected (i.e.
an effective cyber threat intelligence process, A financial entity’s cyber resilience framework
to be reached) level.
can make a significant difference in the ability to needs to achieve continuous cyber resilience
pre-empt cyber events or respond rapidly and amid a changing threat environment. As a rule of thumb, all financial entities should
effectively to them. meet the lowest (evolving) level and strive for the
To keep pace with the rapid evolution of cyber
next level of cyber maturity (advancing). Financial
Keen appreciation of the threat landscape can threats, an adaptive cyber resilience framework
entities of systemic importance to the financial
help a financial entity better understand the should be adopted.
sector and the wider economy should meet the
vulnerabilities in its critical business functions This framework needs to evolve with the dynamic expectations set for the medium (advancing) level
and adopt appropriate risk mitigation strategies. nature of cyber risks and allows an organisation to and aim to achieve the highest (innovating) level
It can also enable a financial entity to validate its identify, assess and manage security threats and as soon as possible.21
strategic direction, resource allocation, processes, vulnerabilities for the purpose of implementing
procedures and controls with respect to building appropriate safeguards into its systems. 20 
For more information on the practical set-up and functioning of cyber
information and intelligence sharing initiatives focusing on the financial
cyber resilience. sector, refer to the CIISI-EU initiative and its Irish equivalent CIISI-IE.
21 
For further details, see CROE or C-RAF documentation.

"A financial entity’s cyber resilience framework needs to achieve continuous cyber resilience amid a
changing threat environment. To keep pace with the rapid evolution of cyber threats, an adaptive
cyber resilience framework should be adopted."

14 Fostering Financial Sector Cyber Resilience in Developing Countries - The Way Towards Threat Penetration Testing Good Practice Guide
 In Focus: Different Forms
of Testing
2.0

15 Good Practice Guide

 2.0 In-Focus: The Different Forms
of Testing

Ensuring the appropriate level of cyber resilience in an ever-changing organisational, technological and threat environment requires
testing risk mitigation measures taken by the respective entity.

In general, there are four basic forms of testing: There are different types of vulnerability
assessments, e.g. network-based assessments,
host-based assessments, application assessments
• Vulnerability assessment and database assessments.
• Penetration testing
Vulnerability scans - as part of vulnerability
• Scenario-based (desk-top) testing, and assessments - are predominately executed in
• Threat Led Penetration Testing (TLPT).22 a fully automated way, identifying publicly
known vulnerabilities and misconfiguration
in a single system.
While they differ in complexity, approach and
intrusiveness, they all have their own advantages. A comprehensive vulnerability assessment
evaluates whether an IT system is exposed to
known vulnerabilities, assigns severity levels
Vulnerability Assessment to identified vulnerabilities, and recommends
remediation or mitigation steps where required.
Vulnerability Assessment - and with it,
vulnerability scanning - is the simplest form of Vulnerability assessment - and especially 22 
Following definitions used by regulatory authorities, this paper uses the
IT security testing. A vulnerability assessment vulnerability scanning - is part of the basic cyber term Threat Led Penetration Testing (TLPT) for tests which mimic real threat
actors and simulate real attacks. However, a term like “Intelligence Led Red-
is a systematic examination of an information hygiene measures any organisation with a digital teaming” (ILRT) would provide a more accurate understanding and a clearer
system, its controls and processes, to determine presence should have implemented.24
distinction from normal penetration testing.

the adequacy of security measures. It will identify 23 See FSB Lexicon (FSB, November 2018).
security deficiencies, provide data to help predict Depending on the expected - or aspired - level of
24 Under the earlier mentioned CMAGE project (see footnote 12), a country’s
the effectiveness of proposed security measures cyber maturity, it should be performed on a regular banking sector cyber posture is established by performing a vulnerability
and confirm the adequacy of such measures after to continuous basis, up to system and assessment on those elements of an entity’s IT infrastructure which are
directly connected to the internet.
implementation.23 organisation wide.

16 Fostering Financial Sector Cyber Resilience in Developing Countries - The Way Towards Threat Penetration Testing Good Practice Guide
 2.0 In-Focus: The Different Forms
of Testing

Penetration Testing entity’s internal skills, processes and procedures against an entire entity (including the complete
are tested, with a view to achieving stronger scope of its people, processes and technologies).
Penetration Testing (or pen-testing) is a test
operational resilience.
methodology in which assessors, using all To provide an appropriate level of assurance
available documentation (system design, source While vulnerability assessments, penetration tests that key financial services assets and systems
code and manuals, for example) and working and scenario-based tests are useful in their own are protected against technically competent,
under specific constraints, attempt to circumvent right and “must-do’s” for any entity which relies on resourced and persistent adversary attacks,
the security features of an information system.25 information systems for its activities, they do not the level and sophistication of testing must be
Penetration tests provide a detailed and useful mimic the real physical and online world in which increased, and testers must be armed with
assessment of technical and configuration an entity is active. up-to-date and specific threat intelligence.
vulnerabilities, often within a single system
or environment. Both vulnerability scanning and penetration testing
25 
have the IT systems for which the security needs See FSB Lexicon (FSB, November 2018).

Next to vulnerability assessments and penetration to be assessed as a starting point.

testing comes scenario-based testing. While
vulnerability assessments and penetration tests However, both forms of testing do not necessarily
mainly focus on the technical side, scenario-based take into account which business functions
testing is more focused on the “soft” side these systems support, which of these functions
are really crucial for business continuity, what
of the organisation, its staff and its decision-
adversaries could be interested and why (e.g.
"Both vulnerability scanning
making processes.
money or data theft, espionage), and what hacking and penetration testing have
techniques might be employed.
Scenario-based Testing the IT systems for which the
Next to that, vulnerability assessments and pen-
Scenario-based Testing is a desktop or simulation testing do not consider the physical component security needs to be assessed
exercise, in which relevant board members and of testing. Sometimes, a successful cyber attack
other senior managers are actively involved and finds its origin in the accessibility for an outsider as a starting point."
have to answer questions like “what would you do of a workplace, or in weaknesses in the physical
if…”. While “walking and talking” through carefully security of a data centre. Furthermore, these tests
prepared, extreme but plausible scenarios, an do not assess the full scenario of a targeted attack

17 Fostering Financial Sector Cyber Resilience in Developing Countries - The Way Towards Threat Penetration Testing Good Practice Guide
 2.0 In-Focus: The Different Forms
of Testing

Threat Led Penetration Testing

Threat Led Penetration Testing (TLPT, or

Intelligence-Led Red Team Testing) addresses this.

Entities with cyber maturity at the evolving "While vulnerability

level are supposed to perform only vulnerability
assessments, penetration tests and scenario- assessments, penetration
based tests, while entities with - or aspiring for
- an advancing or innovating maturity level are
tests and scenario-based
supposed to also undertake TLPT. tests are useful in their
own right and “must-do’s” for
Vulnerability Scanning
any entity which relies
on information systems for
Penetration Testing
its activities, they do not mimic
Scenario-based Testing the real physical and online
world in which an entity
Threat Led Penetration
Testing / Red teaming is active."

Basic Cyber Hygiene Level

Evolving Level
Advancing and Innovating Level

Figure 2: Testing vs cyber maturity

18 Fostering Financial Sector Cyber Resilience in Developing Countries - The Way Towards Threat Penetration Testing Good Practice Guide
 Threat Led Penetration
Testing / Intelligence Led
3.0
Penetration Testing
3.1 H
 istorical and Geographical Contexts of TLTP
3.2 Common Elements of TLPT Frameworks
3.3 T
 he different phases in a Threat Led
Penetration Test

19 Good Practice Guide

 3.0 Threat Led Penetration Testing/
Intelligence Led Penetration Testing
3.1 Historical and Geographical Context of TLTP

Threat Led Penetration Testing (or Intelligence Led Red Team Testing) is a controlled attempt to compromise cyber resilience by
simulating the behaviour (i.e. the tactics, techniques and procedures (TTPs)) of real-life threat actors, making use of ethical hackers
(the so-called “red team”).

It is based on targeted threat intelligence and form, especially suited for entities which play
involves simulating an attack on an entity’s a key role in the financial system and/or real
"Authorities in several
critical economic and business functions (CFs)26 economy and have already reached a certain level
and underlying systems (people, processes and of cyber resilience maturity. Authorities in several jurisdictions have set-up TLPT-
technologies), with minimal foreknowledge and jurisdictions have set-up TLPT-frameworks and
impact on operations. Intelligence-led Red Team have urged their respective supervised entities frameworks and have urged their
tests mimic the TTPs of advanced threat actors - (banks, FMIs etc.) to perform tests according to
whether malicious outsiders or an entity’s own staff these frameworks.27
respective supervised entities
- who are assessed by threat intelligence as posing
The first TLPT framework was developed in the UK
(banks, FMIs etc.) to perform
a genuine threat to an entity.
by the Bank of England (CBEST, 2014),28 followed tests according to
A TLPT also includes a level of “reconnaissance”, by The Netherlands (De Nederlandsche
i.e. the preparatory actions a threat actor Bank, 2016). The European financial sector is these frameworks."
undertakes to get a better insight into the entity’s relatively well integrated, and some financial
digital footprint, its people, processes and security entities started to express concerns regarding the
controls. The test helps assess an organisation’s risk of proliferation of different TLPT frameworks. 26 For
 identifying a financial entity’s critical economic and business functions,
most TLPT frameworks use the breakdown as developed by the FSB
protection, detection and response capabilities. (Guidance on Identification of Critical Functions and Critical Shared Services
Consequently, to ensure pan-European / FSB, July 2013).
27 See

While vulnerability scanning and penetration harmonisation in the development and roll- Guidance on cyber resilience for financial market infrastructures (CPMI/
IOSCO, June 2016, chapter 7).
testing focus on testing the cyber security of an out of TLPT frameworks, the European Central 28 See
 CBEST Threat Intelligence-Led Assessments - January 2021
entity’s information and information systems, Bank stepped in and developed the TIBER-EU (bankofengland.co.uk).
29 See
 What is TIBER-EU? (europa.eu). The TIBER-EU framework is entity
scenario-based testing and Threat Led Penetration framework (2018), which ensures maximum agnostic and can be used outside the financial sector as well. It is also
Testing can be considered as cyber resilience harmonisation, while still allowing for jurisdiction agnostic and can be implemented by authorities in non-EU
countries.
testing, with TLPT being the most sophisticated national specificities.29

20 Fostering Financial Sector Cyber Resilience in Developing Countries - The Way Towards Threat Penetration Testing Good Practice Guide
 3.0 Threat Led Penetration Testing/
Intelligence Led Penetration Testing
3.1 Historical and Geographical Context of TLTP

Currently, TIBER-EU is implemented in 13

European countries,30 and more are expected to
Situational Awareness Learning and Evolving
follow. The EU’s Digital Operational Resilience
Act (DORA) requires financial entities to establish
a sound and comprehensive digital operational
resilience testing programme as an integral part of
their ICT risk management, including up to Threat Response Identification Detection Governance
Led Penetration Testing.31

Outside Europe, TLPT frameworks have been

developed and implemented in Singapore (AASE),32
Hong Kong (iCAST),33 Australia (CORIE),34 and Protection
Saudi Arabia (FEERT).35

These frameworks have been inspired by CBEST Within additional scope of TLPT Within scope of Penetration Testing and TLPT
and TIBER-EU, and have benefited also from G7
guidance and work done by the Global Financial Figure 3: Illustration of additional scope of TLPT compared to traditional penetration testing (source: modified from HMA’s C-RAF)

Markets Association.36

30 
Belgium, Denmark, Finland, Germany, Ireland, Italy, Norway, Portugal, Romania, Spain, Luxembourg, Sweden and The Netherlands, as well as the European Central Bank in its oversight capacity (status August 2022).
31 DORA sets uniform requirements for the security of network and information systems of companies and organisations operating in the financial sector as well as critical third parties which provide ICT-related services to them, such as cloud platforms
or data analytics services. DORA creates a regulatory framework on digital operational resilience whereby all firms need to make sure they can withstand, respond to and recover from all types of ICT-related disruptions and threats. These requirements
are homogeneous across all EU member states. The core aim is to prevent and mitigate cyber threats..
32
“Red Team: Adversarial Attack Simulation Exercise” (The Association of Banks in Singapore ABS, November 2018).
33 
“iCast - intelligence-Led Cyber Attack Simulation Testing” (Cyber Resilience Assessment Framework (C-RAF, Chapter 4), HKMA, November 2020).
34
“CORIE - Cyber Operational Resilience Intelligence-led Exercises” (Council of Financial Regulators, July 2020).
35 
“FEERT - Financial Entities Ethical Red-Teaming” (Saudi Arabian Monetary Authority, May 2019).
36 
See G7 Fundamental Elements for Threat-Led Penetration Testing (G7, October 2018), and A Framework for Threat-Led Penetration Testing in the Financial Services Industry (version 2 / GFMA, December 2020).

21 Fostering Financial Sector Cyber Resilience in Developing Countries - The Way Towards Threat Penetration Testing Good Practice Guide
 3.0 Threat Led Penetration Testing/
Intelligence Led Penetration Testing
3.2 Common Elements of TLPT Frameworks

What all the TLPT frameworks have in common is strengthening the cyber resilience of supervised and/or overseen entities against
advanced cyber attackers, ensuring financial stability. A Threat Led Penetration Test is no compliance exercise, nor is it a “pass or
fail” test.

At the heart of a TLPT is collaboration between TLPT tests are highly intrusive and often managers to critical live production systems, or the loss,
entity, Threat Intelligence service provider, Red feel their reputation is at stake. modification or disclosure of data, highlights the
Team service provider and authority; evidence in need for active and robust risk management.
the form of results of controlled real-life attacks; It cannot be repeated enough that a TLPT is not
and learning and improvement by replay and a pass or fail test, and the learning and evolving The entity is responsible for implementing
remediation planning. experience is one of its key objectives. There is a appropriate controls, processes and procedures
risk that making use of internal threat intelligence to ensure the test is carried out with sufficient
TLPTs are executed on live production systems capacity and Red Teams results in less challenging assurances for all stakeholders that risks will be
and are intelligence-led to emulate advanced threat intelligence and - consequently - in less far- identified, analysed and mitigated according to
attackers. In most cases, authorities closely follow reaching attack scenarios. best practices in risk management.
the TLPTs, performed under the responsibility of
the tested entity by external, independent third- External TI and RT providers are specialists, with Obviously, this includes applying minimal quality
party providers (Threat Intelligence (TI) & Red broad experience of other clients, in and outside requirements with regards to the external TI and
Team (RT) providers). the financial sector. This ensures the designed RT providers.37
attack scenarios are not only scenarios which have
To mimic a real-life attack, the entity’s defensive been already played out by real attackers, but also
37 See TIBER-EU FRAMEWORK - How to implement the European framework
teams and staff should have no knowledge new scenarios which could be expected to be for Threat Intelligence-based Ethical Red Teaming (europa.eu) (Chapter 6
of the test being prepared and/or executed. deployed in the near future. Risk Management / ECB, May 2018).

Secrecy - until the test is completed - is of utmost

importance. A TLPT harbours elements of risk for all parties,
owing to the criticality of the target systems, the
Using external third-party providers for Threat people and the processes involved in the tests.
Intelligence and Red Teaming services is The possibility of causing a Denial-Of-Service
important, to ensure test quality and integrity. incident, an unexpected system crash, damage

22 Fostering Financial Sector Cyber Resilience in Developing Countries - The Way Towards Threat Penetration Testing Good Practice Guide
 3.0 Threat Led Penetration Testing/
Intelligence Led Penetration Testing
3.3 The Different Phases in a Threat Led Penetration Test

A typical Threat Led Penetration Test has four phases.

Depending on the involvement of the The teams responsible for managing the test are
respective authorities and the applicable established; the scope of the test is determined,
TLPT framework, the TLPT process can approved and attested to by the entity’s board, and
"The GTL phase involves
validated by the relevant authorities; and the TI and
start with a Generic Threat Landscape
(GTL) phase.
RT providers are procured to carry out the test. generic assessment of the
The testing phase includes threat intelligence and national financial sector
The GTL phase involves generic assessment of Red Teaming. During this phase, the procured TI
the national financial sector threat landscape, provider prepares a Targeted Threat Intelligence threat landscape..."
outlining the specific roles of the entities (e.g. Report (TTI Report) on the entity, providing a
investment banks, commercial banks, payment bespoke threat assessment, setting out threat
systems, central counter-parties and exchanges, scenarios for the test and providing detailed
for example), identifying the relevant threat actors reconnaissance information on the entity (such
for the sector and the TTPs used in the attacks. as its digital footprint, perimeter and the
people, processes and technologies that could
The GTL will link these threat actors and the TTPs
be exploited), on the basis of which the Red Team
to specific entities within the sector and can be
(RT) provider will start its work.
used as a basis for later attack
scenario development. Here, the TI provider works closely with the RT
provider. Work on the Targeted Threat Intelligence
The GTL may be validated and reviewed by the
from the TI provider and active reconnaissance
relevant national intelligence agency if possible
work by the RT provider overlap, with the GTL
and updated on an ongoing basis as new threat
being used as input, if available.
actors and TTPs emerge and pose a risk to the
respective financial sector.

During the preparation phase, engagement for

the TLPT is formally launched.

23 Fostering Financial Sector Cyber Resilience in Developing Countries - The Way Towards Threat Penetration Testing Good Practice Guide
 3.0 Threat Led Penetration Testing/
Intelligence Led Penetration Testing
3.3 The Different Phases in a Threat Led Penetration Test

The TTI Report and findings from the active the right collaborative mindset and willingness to It’s not the purpose of this paper to discuss the
reconnaissance work will be used by the RT work closely together - and with the entity - while details of different TLPT frameworks in-depth. We
provider to develop specific attack scenarios preparing and executing the TLPT. recommend referring to the respective frameworks
and to execute an Intelligence-Led Red Team test mentioned earlier in this chapter.
on specified critical live production systems,
people and processes that underpin the entity’s
critical functions. PREPARATION PHASE TESTING PHASE CLOSURE PHASE

During the closure phase, the RT provider drafts

a Red Team Test Report, which should include
details of the testing approach and findings and GENERIC Engagement, Scoping Gathering Targeted Reporting and
observations from the test. Where necessary, the THREAT & Procurement Threat Intelligence Remediation Planning
LANDSCAPE
report will include advice on areas for improvement
PHASE (4-8 weeks) (6-8 weeks) (2-4 weeks)
in terms of technical controls, policies and
procedures, and education and awareness. The
main stakeholders will now be aware of the test Attack Execution / Replay Attacks
and should replay the executed scenarios and Red Teaming
discuss the issues uncovered during the test. (1 week)
(12 weeks)

The entity should take on board the findings

and then agree a Remediation Plan in close Figure 4: Typical TLPT process from start to finish (timings indicate time span, not person-weeks, and can partly overlap in practice)
consultation with the supervisor and/or overseer.
Finally, the process of the test will be reviewed
and discussed.

To develop and execute possible threat scenarios,

TI and RT providers not only need to be experts
in their respective fields, they also need to have

24 Fostering Financial Sector Cyber Resilience in Developing Countries - The Way Towards Threat Penetration Testing Good Practice Guide
 Threat Intelligence and
Red Team Service
4.0
Providers: Trust and
Assurance
4.1 T
 hreat Intelligence Service Providers

25 Good Practice Guide

 4.0 Threat Intelligence & Red Team
Service Providers: Trust & Assurance
4.1 Threat Intelligence Service Providers

Threat Led Penetration Tests harbour elements of risk for all parties owing to the criticality of the target systems, the people and
processes involved in the test. The possibility of causing a Denial-of-Service incident, an unexpected system crash, damage to critical
live production systems, or the loss, modification or disclosure of data highlights the need for active and robust risk management.38

One element of an active and robust risk Secondly, it is important that a TI or RT provider
management is the quality of the Threat gives high priority to their own governance,
Intelligence and Red Team service providers and security and risk management, and applies the
their respective personnel. A careful selection same high standards to TLPT activities.
process is crucial to the success of a TLPT and for
the continuity of the entity. Thirdly, what about staff competence?39 Even if a
service provider is able “to tick all the boxes” with
This is easier said than done. The lack of barriers regards to the above-mentioned principles and
to forming a cyber security company, combined criteria, if it lacks competent staff, it will not be able
with mushrooming demand for cyber services, to provide the procured services at the required
mean more and more start-ups have been formed (high) quality level.
recently. It can be difficult to ascertain
the professionalism of such companies. A financial entity - and its respective authority -
can check service provider’s reputation with ease
So, Threat Intelligence and Red Team service by making enquiries among those which have
providers should be selected according to some already undergone a TLPT. But ascertaining ethical
guiding principles and criteria. conduct, risk management and quality of staff, for
example, is more challenging. CREST (The Council
Firstly, there is the reputation, history and of Registered Ethical Security Testers) - as neutral,
ethical conduct of the TI and RT provider. Have not for profit organisation - has stepped in this
they successfully completed other TLPTs, are void and offers industry-recognised accreditation
38 See TIBER-EU Framework (Chapter 6, Risk management for TIBER-EU
tests).
references available and do they understand services for TI and RT service providers and 39
the legal and ethical challenges which come certification services for their staff, the cyber
 here are more criteria which define the choice for a TI or RT service
T
provider. For a more complete overview, refer to, for example the TIBER-EU
with a TLPT? security professionals. Framework Services Procurement Guidelines.

26 Fostering Financial Sector Cyber Resilience in Developing Countries - The Way Towards Threat Penetration Testing Good Practice Guide
 4.0 Threat Intelligence & Red Team
Service Providers: Trust & Assurance
4.1 Threat Intelligence Service Providers

TI and RT service providers can obtain By expressing the expectation that TI and RT
company accreditation by CREST if they are service providers have CREST accreditation
able to prove compliance in four areas: and cyber security professionals have CREST
certification, a financial authority can contribute to
a more mature market for cyber security services in
• Company operating procedures and
its respective jurisdiction, benefiting all.
standards
• Personnel security and development
• Approach to testing and response, and
• Data security.

Individual staff can have their qualifications, "Individual staff can have their
experience and competencies certified by CREST,
after having successfully passed an exam in their qualifications, experience and
field of expertise, such as penetration testing, competencies certified by
threat intelligence, incident response or security
architecture. CREST does not provide any cyber CREST, after having
security services itself, nor does it provide training
to individuals. successfully passed an
By doing so, it has no conflict of interest and is exam in their field
not in competition with cyber security companies.
of expertise..."
From this neutral position, it builds trust in the
digital world by raising professional standards and
delivering measurable quality assurance for the
global cyber security industry.40 40 See for more information on CREST: www.crest-approved.org.

27 Fostering Financial Sector Cyber Resilience in Developing Countries - The Way Towards Threat Penetration Testing Good Practice Guide
 Considerations for
Authorities
5.0
5.1 T
 hreat Intelligence and Red Team service
Providers: Trust and Assurance

28 Good Practice Guide

 5.0 Considerations for
Authorities
5.1 TLPT: Some Practical Considerations for Authorities

As indicated earlier, Threat Led Penetration Testing is especially suited for entities which play a key role in the financial system and/
or real economy41 and have already reached a certain level of cyber resilience maturity. This is not the whole story, however. Threat Led
Penetration Testing is not only challenging for financial entities, but it also requires a certain level of cyber maturity from the authority in
charge and of the cyber security service industry in the country or region.

Research shows that cyber security service entities should participate in any TLPT programme. to ensure a smooth test process. As long as
provision is at relatively low maturity levels in The authorities need to decide whether a financial supervisors and overseers are involved in the
several developing countries.42 entity’s participation in a TLPT programme is scoping at the beginning and will receive the
voluntary, or whether it is a supervisory obligation. entity’s remediation plan at the end of the test
If authorities pursue a policy to have financial process, their responsibilities are well taken
entities tested according to the respective Threat If there are authorities involved other than the care of.
Led Penetration Testing Frameworks, they have central bank, it needs to be established which
to consider the possible capacity and quality authority carries main responsibility for rolling out
restrictions of local cyber security service providers and executing the TLPT programme. Practice has
and consider options to catalyse development of shown in most cases this falls on the central bank.
the market for cyber security services.
Assuming the central bank is the authority in
This includes an expectation that cyber security charge, it must invest in a dedicated team, headed
service providers and professionals meet by a senior manager, which must closely monitor
objectively set minimum quality and conduct each test process to ensure tests are performed
standards, (for example, as set by CREST). according to the applicable testing framework
and that Threat Intelligence and Red Team service
Given these three restrictions (cyber mature providers meet the required quality criteria.
organisations only, capacity limitations at the
authority, and capacity and quality limitations Ideally, to avoid supervisory judgement during 41
 perational failure of such entities can negatively impact financial stability
O
and could also include third-party critical service providers, especially if these
in the cyber security services market), within a the test process and the test becoming a mere third-party providers are part of the supply chain of several financial entities.
jurisdiction, the central bank and - if applicable - compliance exercise, this team must sit at arms’ 42 
See the outcome of the CMAGE study (Cyber security Maturity Assessment
the supervisory authority need to agree on which length of the supervisory and oversight functions of the Global Ecosystem) as performed by CREST.

29 Fostering Financial Sector Cyber Resilience in Developing Countries - The Way Towards Threat Penetration Testing Good Practice Guide
 5.0 Considerations for
Authorities
5.1 TLPT: Some Practical Considerations for Authorities

Such an approach could be challenging for a To smooth this process, a pilot test on a
central bank with limited resources. Therefore, a volunteering entity could be conducted first,
central bank can make the deliberate choice being setting an example for other entities to follow.
less involved in the daily monitoring of the test
process, leaving it to the financial entity to ensure One thing all TLPT frameworks have in common "One thing all TLPT
that a real independent and challenging Threat is that responsibility for overall planning and
Intelligence Led Penetration Test is performed, management of testing lies with the entity being frameworks have in
without cutting corners. tested, not with the authorities. The entity must
ensure all risk management controls are in place common is that responsibility
Following this route, each central bank has to find
for itself a balance between daily involvement in
to facilitate a controlled test.
for overall planning
the test process and no involvement, keeping in Once the decision has been made to set-up a and management
mind also that lesser involvement could endanger TLPT programme, the authority must draft its own
the quality and credibility of the test - and therefore TLPT framework implementation guide. There is no of testing lies with the
recognition of the test results by authorities from need to invent the wheel again, as different Threat
other jurisdictions. Led Penetration Testing frameworks have been entity being tested,
developed and implemented by several authorities
This could possibly result in the need for the entity in Europe and Asia.
not with the authorities."
to duplicate tests. Also, no involvement in the test
process could deprive authorities from extracting While these TLPT frameworks all have their
overarching, thematic findings from these tests, similarities, they all differ in detail due to
preventing shared learning. differences in financial sector set-up, in mandates
of authorities, and in regulatory and legal
Given the sensitive nature of Threat Led differences. Therefore, while drafting a TLPT 43 The TIBER-EU framework provides a good benchmark and can also be

Penetration Testing, decisions on TLPT programme framework implementation guide, for a central used freely by authorities outside the EU. While each implementation
of TIBER-EU must ensure that all the core foundational concepts and
adoption, financial entity identification and bank, it is worth staying close to proven TLPT approaches are adopted and implemented; each jurisdiction is free to adopt
and implement further optional elements at its own discretion. Next to that,
responsibility should be taken by the authorities’ frameworks, but tailoring these to the unique due to its comprehensiveness, the CBEST Implementation Guide is worth
assessing (CBEST Threat Intelligence-Led Assessments - January 2021
board and communicated to the financial needs of its own financial sector.43 (bankofengland.co.uk)).
entity’s board.

30 Fostering Financial Sector Cyber Resilience in Developing Countries - The Way Towards Threat Penetration Testing Good Practice Guide
 5.0 Considerations for
Authorities
5.1 TLPT: Some Practical Considerations for Authorities

Setting up and running a TLPT programme is As we have said, Threat Led Penetration Testing improve the cyber resilience of the most critical
a long-lasting endeavour for the authority and is about learning and evolving, and is not meant financial entities. Pursuing a TLPT programme will
requires appropriate resources and management to be a one-off exercise. Regardless of the also contribute to maturation of the local market
attention. Depending on the size of the financial successful implementation of a remediation plan, for cyber security services, benefiting other non-
sector, it will take time before all identified entities the organisational and IT structure supporting an critical companies and society at large as well.
have gone through a Intelligence-Led Red entity’s critical functions, systems and assets is
For the sake of common interest, achieving
Team test. subject to constant change. At the same time, the
this objective requires close and constructive
capabilities of threat actors are further evolving.
We know the tests themselves take time, but there collaboration between all parties, private
Testing at regular intervals is, therefore,
are also capacity constraints at the authority and and public.
a necessity.44
the limited number of service providers qualified
to do these kinds of tests - which means not too Finally, authorities pursuing a Threat Led
many tests can take place at the same time. Penetration Testing programme will help 44 As an indication, intervals of 3 years could be considered as appropriate.

31 Fostering Financial Sector Cyber Resilience in Developing Countries - The Way Towards Threat Penetration Testing Good Practice Guide
From the Author

With a background of more than 25 years in public service, Wiebe Ruttenberg joined SecAlliance as Director of Strategy, August 2021.

Prior to this he worked in senior policy roles at the European Central

Bank (ECB), first as Head of the Market Integration Division
(2006 – 2015) and finally as programme director focusing on
technological innovation and cyber resilience across the financial
sector (2016 – 2021).
In his latter position, he chaired the ESCB Task Force on Cyber
Resilience Strategy for Financial Market Infrastructures, managed the
Secretariat of the Euro Cyber Resilience Board and was member of
the European Systemic Cyber Group of the European Systemic
Risk Board.
The European cyber testing program TIBER-EU and the European
Cyber Information and Intelligence Sharing Initiative (CIISI-EU) were
developed and rolled-out are under his responsibility.
Before joining the ECB in 2006, he worked in senior roles at
De Nederlandsche Bank and the Dutch Ministry of Finance."

32 Fostering Financial Sector Cyber Resilience in Developing Countries - The Way Towards Threat Penetration Testing Good Practice Guide