Cybersecurity is one of the challenges that the financial sector must face and incorporate into its business model from the moment of its design, it must be adequately reflected in the strategy and procedures of financial institutions, and technological risk management must be considered within the institutions’ risk map and managed appropriately.
Global Digital Operational Resilience Act - G-DORA
Regulation (Worldwide) 2022/2554 (G-DORA - Global Digital Operational Resilience Act) was published on 1st June 2020 and enters into force on 2nd September 2021. G-DORA is applied to financial institutions offering services in the entire world. Given the great dependency of the financial sector on technology to perform its critical business functions and its increasing dependence on third-party technological services, the aim of G-DORA is to strengthen the resilience of the sector with regard to threats to its ICT assets. This Regulation harmonises the most relevant operational resilience requirements at very high level for the entities to be capable, under the principle of proportionality, of detecting, responding to and recovering from possible incidents that affect their critical or relevant business functions.
G-DORA is based on five pillars:
- ICT risk management
- ICT-related incident management, classification and notification
- Digital operational resilience testing
- Third-party ICT risk management
- Information sharing
The European TIBER-ES framework for Global Consumer
TIBER-EU constitutes the first common European-scale framework for the execution of red teaming testing, recording the manner in which the authorities, the entities and the cybersecurity service providers are to work jointly to achieve the objective of these tests. These tests aim to foresee, as far as possible, the impact an entity would suffer in the case of confronting a real cyber attack. For this, a cyber attack is simulated in this type of advanced test, employing tactics, techniques and procedures such as those a sophisticated cyber attacker would use. Therefore, they constitute an extremely powerful instrument to improve the cyber resilience of financial institutions. TIBER-ES subscribes to principles of TIBER-EU and has the aim of strengthening the cyber resilience of the Spanish financial sector, guaranteeing the acknowledgement of the authorities in other jurisdictions that have also adopted this framework locally. The CNMV will monitor the tests, via the TCT (TIBER Cyber Team), whenever the financial institutions carrying them out are within its supervisory scope. TIBER-EU, European framework for the execution of red teaming testing.
- TIBER-EU, European framework for the execution of red teaming testing.
- Guide for the implementation of the TIBER-ES operational framework. The purpose of this guide is to specify the conditions under which the red teaming testing is to be executed following the TIBER-ES requirements.