The CRST or Cyber Resilience Stress Test is an annual test supervised directly by the ECB.
In this short article, we will apply a "light" version of the Zachman Framework in order to easily and quickly answer our simplest questions about CRST 2024.
As we know, the Zachman Framework is an enterprise architecture framework based on trying to answer simple questions like “What”, “Who”, “How”, “When” and “Why”.
As mentioned, if we apply our "simplified" version of the Zachman Framework to the Cyber Resilience Stress Test 2024 we can immediately and easily describe the essence of the CRST 2024; in particular:
In "What" the Cyber Resilience Stress Test 2024 consists.
The Stakeholders (therefore "Who") with whom we must interface
The timing (therefore "When") expected for the Cyber Resilience Stress Test 2024
And finally “How” i.e. the technologies and methodologies involved in the CSRT 2024
Let's get into more details.
CRST 2024: “What?”
Every year the ECB (European Central Bank) subjects a certain number of banks spread across the European Union to the so-called Cyber Resilience Stress Test or CRST. This year the total number of banks selected is 109. Of these 109 banks, 28 of them will be subject to particularly in-depth "resilience" tests compared to the other 81 remaining banks.
The objective of CRST 2024 is to verify and evaluate the operational resilience of the "core banking systems" of the banks under examination.
The CRST will be a sort of Tabletop exercise, based on a long questionnaire (around 478 questions) where "attack scenarios" will be presented. The security teams will have to respond to these scenarios on the basis of the internal procedures provided, providing, where possible, "evidence" of what has been stated.
CRST 2024: “Who?”
Now we deal with "Who" i.e. the Stakeholders of the CRST 2024. Previously, for ease of expression, an inaccuracy was stated regarding "who" was the supervisor of the CRST. In fact, we stated that the supervisor was a single entity, namely the ECB. It is not true. The matter is more complex because there are multiple stakeholders.
At a high level, we could say, without fear of contradiction, that the supervisor is the so-called ESFS (European System of Financial Supervision). The ESFS is a "network" of entities, that is specifically centered on three European Supervisory Authorities (ESAs), the European Systemic Risk Board, and the National Supervisors (the national central banks).
Therefore, the ESFS, specifically, is made up of.
The three ESAs are:
European Banking Authority (EBA)
European Insurance and Occupational Pensions Authority (EIOPA)
European Securities and Markets Authority (ESMA)
The European Systemic Risk Board (ESRB).
And the National Supervisors. In reality, once again, the thing is more complex because we should talk about the Single Supervisory Mechanism (SSM). The SSM is in turn composed of two fundamental entities; in particular:
European Central Bank (ECB)
And finally the 21 National Supervisors (the various central banks of the individual member countries)
Regarding the Cyber Resilience Stress Test 2024, the following are of particular importance:
EBA (European Banking Authority) which provides the methodologies in addition to the so-called SREP (Supervisory Review and Evaluation Process);
the European Systemic Risk Board (ESRB) which is responsible for defining the cyber attack scenarios to which the 109 banks are called upon to respond;
And obviously, the ECB which acts as a glue between the first two (EBA and ESRB).
CRST 2024: “When?”
The diagram shown above comes from a KPMG article in German. I am only limited to translating this diagram into English. Thanks Google Translate!
Thanks to the figure above we can answer our "When" questions.
First of all, we must say that the Cyber Resilience Stress Test 2024 is structured in two phases; they are:
Simplified approach
Extended approach.
The simplified approach lasts approximately 2 months, it formally started on 2 January 2024 and will end on 29 February 2024. During this phase, the security teams of the respective banks will have to respond to the questionnaires that the ECB has submitted to them.
The extended approach takes up the scenarios described in the questionnaires and essentially takes into consideration the IT recovery tests of the controlled banks. Finally, an Internal Audit of the 2nd line of defense follows. The expanded approach will begin immediately after the simplified approach and will end by approximately April 30, 2024.
The CSRT 2024 will end on June 30, 2024, with the drafting of the SREP (Supervisory Review and Evaluation Process) and the understanding of the fundamental "Lessons Learned".
CRST 2024: “How?”
Finally, this section deals with the "How" in the sense of identifying the IT domains subject to CRST 2024 verification. They are:
IT Service Continuity Management
Business Continuity Management
Information Security Management System
Financial Controlling
Risk Management
It goes without saying that the "fulcrum" of CRST 2024 is undoubtedly BCM (Business Continuity Management), which will have to be mapped within ISO 22301.
As always happens, the lessons learned will offer banks the opportunity to understand any vulnerabilities present within their Contingency Planning.
Always keeping in mind what the OWASP Top 10 of 2021 tells us
After over 30 years of experience in the IT/OT field, I would put: "Insecure Design" in first place (and not fourth). Interdisciplinary Risk Management is the key.
CRST 2024 & Coriacea
Coriacea will be happy to offer its consultancy service in the IT/OT Security Strategy field. Contacts.