Critical entities of the financial sector in Luxembourg must be able to adequately resist cyber-attacks in order to ensure their own resilience and thereby contribute to the one of the financial sector as a whole. To help achieve this objective, the Banque centrale du Luxembourg (BcL) and the Commission de surveillance du secteur financier (CSSF) decided to jointly adopt the testing framework for controlled cyber-attacks, namely TIBER-LU, in line with their respective financial stability mandates.
TIBER-LU’s adoption is consecutive to the publication in May 2018 of the European framework TIBER-EU1 by the European Central Bank (ECB). The TIBER-EU framework aims at i) testing the resilience of financial markets’ entities, ii) facilitating tests for cross-border entities that are subject to the supervision by several authorities, iii) helping entities to better assess their protection, detection and response capabilities and to fight against cyber-attacks. In this context, the TIBER-EU framework sets out a harmonized European approach for the conduct of threat-led penetration tests that mimic the tactics, techniques and procedures of real-life threat actors and that simulate a cyber-attack on critical functions and underlying systems of an entity.
The TIBER-EU framework, which was designed to be adopted by national and European authorities and for entities that are essential to the functioning of the financial infrastructure, can be used by all types of entities of the financial sector and also by entities of other sectors.
In line with the TIBER-EU framework, each jurisdiction adopts the European framework at national level by adapting its implementation to national specificities.
1 Threat Intelligence-based Ethical Red Teaming