When it comes to safeguarding the cybersecurity landscape of the United Kingdom, the CBEST framework plays a crucial role. Critical National Infrastructure Banking Supervision and Evaluation Testing, or CBEST for short, is an intelligence-led testing framework that aids financial institutions in understanding the potential impact of cyberattacks. This article explores the framework, how it originated, who adheres to it and why, and finally what are the business benefits of adherence.
What Is the CBEST Framework?
The CBEST framework is a structured set of cybersecurity guidelines and tests, designed to identify vulnerabilities in cybersecurity systems. Initiated by the Bank of England (BoE), CBEST is the first of its kind to leverage threat intelligence and penetration testing to understand the cyber threats facing systemically important financial institutions in the U.K. The aim of the CBEST framework is to improve the cybersecurity posture of these institutions, enabling them to effectively manage and mitigate potential cyber threats.
CBEST assessments are not obligatory but are strongly recommended for entities that form a crucial part of the U.K.’s financial services sector. The framework provides a standardized approach to identify, assess, and manage cyber risk, which in turn contributes to the overall operational resilience of institutions.
The Origin of the CBEST Framework
The CBEST framework was launched in 2014 by the Bank of England, in partnership with the U.K. government and the financial industry’s CISP (Cyber-security Information Sharing Partnership). The urgency to develop such a framework was driven by the continuous rise in sophisticated cyberattacks targeting financial institutions. The aim was to establish a set of procedures and practices that would help these institutions understand their vulnerabilities, prepare for potential cyber threats, and respond effectively to any incidents.
The CBEST framework was unique and groundbreaking in its intelligence-led approach. It was the first cybersecurity testing program to replicate behaviors of actual threat actors, based on current threat intelligence. This marked a shift from traditional compliance-based assessments and contributed to a more robust and resilient financial sector in the U.K.
Who Needs to Adhere to the CBEST Framework?
Even though CBEST testing was developed with financial institutions in mind, it isn’t exclusively confined to the banking sector. Any organization that forms a critical part of the U.K.’s financial services infrastructure is a potential candidate for CBEST testing. This includes banks, insurers, major investment companies, financial market infrastructures, and even the key suppliers to these firms.
However, despite the clear benefits of a CBEST assessment, it’s important to note that these assessments are not mandatory. They are, instead, strongly recommended by regulatory bodies such as the BoE and the Financial Conduct Authority (FCA). The idea here is to encourage these institutions to adopt an intelligence-led approach to cybersecurity in order to safeguard the U.K.’s financial ecosystem from potential cyber threats.
Benefits of Adhering to the CBEST Framework
The CBEST framework provides a host of benefits to organizations and the wider financial sector. First, it emphasizes a proactive approach to cybersecurity, allowing organizations to identify potential vulnerabilities before they can be exploited. This goes a long way in building a robust cybersecurity infrastructure.
Second, CBEST assessments provide valuable insights into an organization’s readiness to respond to real-world cyber threats. This helps institutions prepare for, and effectively manage, potential cyber incidents. Third, the results of a CBEST assessment can inform strategic investment decisions and help senior management understand where resources need to be allocated to improve cybersecurity. Finally, by aligning with CBEST, institutions demonstrate a commitment to cybersecurity, which can enhance confidence among customers, investors, and regulators.
Adopting the CBEST Framework
Adopting the CBEST framework requires a clear understanding of the potential cyber threats an organization might face and the vulnerabilities of its current cyber defenses. Organizations first need to undertake a CBEST threat intelligence assessment. This helps in identifying the most relevant threat actors, their motives, the methods they might use, and their potential impact on the organization’s critical functions.
Following the threat intelligence assessment, a CBEST penetration test should be conducted. This involves simulating a targeted attack on the organization’s most important business functions, using the intelligence gathered in the previous step. The result of this test provides a clear picture of how a real-life cyberattack could impact the organization and identifies areas where cybersecurity controls need to be improved.
The CBEST Assessment Process
The CBEST assessment process is broken down into three main phases: the scoping phase, the testing phase, and the reporting phase. Before the assessment begins, the participating organization, the relevant regulatory authority, and the CBEST accredited service provider collectively decide upon the scope of the test. This includes identifying the critical functions of the business that would likely be targeted in a cyberattack and the potential threat actors who might carry out such an attack.
During the testing phase, red teams—ethical hackers who play the role of the potential threat actors—attempt to breach the organization’s cyber defenses using the same techniques, tactics, and procedures identified in the threat intelligence report. This gives the organization an accurate picture of how they would fare during a real cyberattack. The red team records all their findings throughout the test, which will be included in the final report.
Understanding CBEST’s Role in Regulatory Compliance
While the CBEST framework and assessments are not mandatory, they are strongly recommended by the Bank of England and the Financial Conduct Authority. That said, the results of a CBEST assessment can have regulatory implications. If an organization is found to have significant vulnerabilities during the test, the regulatory body may enforce stricter cybersecurity requirements on it. Therefore, adhering to the CBEST framework can demonstrate to regulators that the organization takes cybersecurity seriously and has taken proactive steps to identify and address its vulnerabilities.
In addition, the CBEST framework is designed to integrate seamlessly with other global cybersecurity standards and regulations like the General Data Protection Regulation (GDPR) and the ISO 27001 information security standard. This adaptability makes it beneficial for organizations that have already achieved compliance with these regulations, as it allows them to leverage their existing cybersecurity processes and protocols to adhere to the CBEST framework without requiring a complete overhaul of their systems.
Implementing the CBEST Framework
Implementing the CBEST framework can be a substantial undertaking, but it is a worthwhile investment. The first step in the process is to engage a CBEST accredited service provider to conduct the threat intelligence assessment and the red teaming test. It’s important to note that these service providers are rigorously vetted by the Bank of England and must demonstrate a high level of competence in cybersecurity testing.
Once the assessments are complete, the organization then needs to act on the findings. This might involve implementing new cybersecurity measures, enhancing existing ones, or providing additional training for staff. The organization will receive help and guidance from the service provider throughout this process.
Post-assessment Actions and Improvements
Upon completion of the assessments, the next crucial step involves the organization taking appropriate action based on the findings. These actions could vary from implementing new cybersecurity measures, enhancing existing ones, or even providing additional training for their staff. The service provider stays involved throughout this vital stage, providing necessary guidance and support to the organization.
Kiteworks Helps U.K. Organizations Protect Sensitive Content in Adherence to the U.K.’s CBEST Framework
For organizations within the U.K.’s financial sector, the CBEST framework serves as an invaluable tool in assessing and strengthening their cybersecurity. It provides deep insights into the cyber threats that these organizations face and measures their preparedness to tackle these threats. While compliance with CBEST assessments is not mandatory, the very act of adhering to the CBEST framework displays an organization’s strong commitment toward cybersecurity. This can, in turn, bolster customer, investor, and regulatory trust. By engaging a CBEST accredited service provider and proactively working on the assessment findings, organizations can significantly fortify their cybersecurity defenses and contribute to enhancing the overall resilience of the U.K.’s financial sector.
The Kiteworks Private Content Network, a FIPS 140-2 Level 1 validated secure file sharing and file transfer platform, consolidates email, file sharing, web forms, SFTP and managed file transfer, so organizations control, protect, and track every file as it enters and exits the organization.
With Kiteworks: control access to sensitive content; protect it when it’s shared externally using automated end-to-end encryption, multi-factor authentication, and security infrastructure integrations; see, track, and report all file activity, namely who sends what to whom, when, and how.
To learn more about Kiteworks, schedule a custom demo today.
Get email updates with our latest blogs news