Ethical hacking strengthens resilience to cyber attacks

The Federal Ministry of Finance and the German Bundesbank have decided to implement TIBER-DE, a new programme that will strengthen the resilience of the entire financial system to cyber attacks.

The financial system is particularly exposed to cyber risks due to its key importance for society and the real economy, its high degree of interconnectedness, and its extensive use of information technology.

Bundesbank Executive Board member Burkhard Balz stated: “Cyber risks pose a constantly evolving threat to the financial sector. For this reason we need innovative systems such as TIBER to effectively counteract such threats.”

Jörg Kukies, State Secretary at the Federal Ministry of Finance, commented: “I would very much like to see at least the largest financial institutions in Germany conducting a TIBER test in the near future.”

The Bundesbank created TIBER-DE as a national version of the EU’s framework for Threat Intelligence-based Ethical Red Teaming (TIBER-EU), which was created by the central banks of the European System of Central Banks. The TIBER-DE framework was developed together with the Federal Financial Supervisory Authority (BaFin) and the Federal Office for Information Security (BSI). Banks, insurance companies, financial market infrastructures and their most important service providers can use TIBER-DE to test their resilience against cyber attacks. Under the coordination of the Bundesbank, businesses interested in testing their systems hire ethical hackers to try to breach their security mechanisms and penetrate their information systems. These businesses can then close the vulnerabilities in their security systems and take preventive measures against actual hacking. The coordination centre at the Bundesbank is managed by a steering committee that also includes representatives from the Federal Financial Supervisory Authority.

These TIBER tests are also being used in other EU member states and are recognised by other countries. Participation in TIBER tests is not yet mandatory in Germany. However, it is in the interests of banks, insurance companies, and financial market infrastructures and their most important service providers to conduct TIBER tests, in order to strengthen and continually improve their cyber defences.