TIBER-AT

Combating cybersecurity risks through threat-led penetration testing

For financial institutions, mounting defense against cyberattacks and handling cybersecurity risks is a crucial part of managing risk.

Across the EU, the requirements for managing cybersecurity risks in the financial sector have been harmonized with the “Digital Operational Resilience Act” (DORA), which entered into force in early January 2023. From early 2025, the DORA requirements for financial institutions will be mandatory. This includes the requirement to undertake threat-led penetration testing (TLPT) for managing risks and combating cybersecurity risks.

The methodology to be applied for DORA-related TLPT tests in Austria is in line with the TIBER-EU framework.

TIBER-EU – harmonized EU framework for threat-led penetration testing

TIBER-EU is a TLPT framework developed by the European System of Central Banks (ESCB). TIBER is short for “threat intelligence-based ethical red teaming” and focuses on the simulation of real-life cyberattacks.

The TIBER framework provides requirements and cooperation guidelines for authorities, financial institutions and cyberattack specialists with a view to testing and enhancing the cyber resilience of financial institutions through controlled cyberattacks.

TIBER-EU provides for the simulation of real-life attacks of the critical production systems of financial institutions. Therefore, the tests are conducted under strict security provisions. It is up to the tested financial institutions to undertake all necessary measures to ensure that the tests will not create any risks, neither for themselves nor for their clients.

TIBER-AT – national implementation of TIBER-EU

TIBER-AT provides for the national implementation of the TIBER-EU framework in Austria. The national “TIBER-AT Implementation Guide” defines the key elements of TIBER-AT tests and outlines national specifics of implementing TIBER-EU in Austria. This makes it possible to conduct TLPT tests of financial institutions with standardized TIBER-EU procedures.

The TIBER-AT Implementation Guide already broadly reflects the TLPT-related DORA requirements. The TIBER-AT Implementation Guide will be updated toward the end of 2024 to ensure full alignment with the regulatory technical standards for TLPT expected to be published by the European Supervisory Authorities in mid-2024 (Regulation (EU) 2022/2554, article 26(11)).

The OeNB’s TIBER Cyber Team is responsible for implementing TIBER-EU in Austria and accompanies all TIBER-AT tests in cooperation with the FMA. Financial institutions interested in conducting a TIBER-AT test can turn to the OeNB’s TIBER Cyber Team.

Furthermore, the OeNB’s TIBER Cyber Team is responsible for drafting and developing the TIBER-AT Implementation Guide, and it is a member of the ESCB TIBER-EU Knowledge Centre, which drafts and develops the European framework at the EU level.