TIBER-IS
TIBER-IS is a framework for testing cyber security among participants critical to the Icelandic financial system. This framework aims to help the participants to better understand their capacity to manage cyber risks, thus providing a base for strengthening resilience in the Icelandic financial system. TIBER-IS is based on the TIBER-EU framework.
TIBER-EU is a framework developed by the ECB that makes it possible to test, in a standardized way, resilience to cyber risks among players critical to the financial system. The test (known as red team testing) involves the controlled simulation of a cyber attack on an organization’s employees, processes, and technology. The test is not a ‘pass or fail’ test but is aimed at identifying shortcomings so that resilience can then be improved at participating institutions. The focus is on the learning experience of the defending staff of the institutions.
The main aims of TIBER-EU are:
- to strengthen resilience against cyber threats in the financial sector,
- to standardize and harmonize the implementation of so-called red team tests within the EEA, and
- to provide support for cross-border tests.
The Central bank of Iceland decided in February 2023 to adopt the TIBER-EU framework and publish guidelines for the national adaptation of Iceland, TIBER-IS. The Central bank has cooperated with systematically important banks in adapting the framework to the Icelandic market. The implementation guide for TIBER-IS describes the Icelandic adaptation of the TIBER-EU framework.
TIBER-IS is not restricted to testing financial institutions but can be used in all sectors of the society.
SURF
Iceland’s collaborative forum on the operational security of financial market infrastructure, known by the acronym SURF, aims to create a common vision for measures to enhance the resilience of the cyber- and IT systems of important financial infrastructure elements and coordinate measures in case of operational disruptions that could affect financial system security and efficacy; i.e., organise emergency cooperation and joint emergency plans. Particular emphasis is to be placed on shoring up cybersecurity defences and financial system resilience against cyberattacks. In this context, consideration shall be given to the Government’s cybersecurity framework, with reference to possible overlapping, interactions, and views on harmonisation. The forum’s work shall also be guided by the Act on Network and Information Security, no. 78/2019, with which systemically important financial institutions and operators of regulated securities markets and multilateral trading facilities must comply.
Participation in SURF is voluntary. Participants other than the Central Bank include representatives from Arion Bank, the Ministry of Finance and Economic Affairs, Íslandsbanki, the Nasdaq Iceland exchange, Kvika, Landsbankinn, the Nasdaq CSD securities depository, the Computer Emergency Response Team (CERT-IS), and the Icelandic Financial Services Association. It is hoped that SURF’s work will be successful in further bolstering the security of financial market infrastructure and the financial system as a whole in a broad context.