CBEST Implementation Guide: What’s New In 2024

CBEST Implementation Guide 2024 Update

As UK financial services firms will know, the Critical National Infrastructure Banking Supervision and Evaluation Testing (CBEST for short) is an intelligence-led security testing framework.

Designed in 2014 by the Bank of England to help financial services firms and financial market infrastructures (FMI) understand their defence capabilities, CBEST involves cyber threat intelligence and attack simulations that mimic the actions of real-world attackers.

For those who have to (or want to) participate in CBEST, the CBEST Implementation Guide covers all aspects of the process.

Recently, the Bank of England Prudential Regulation Authority updated this guide. So, what changed? Luckily, not that much.

The core technical practices remain the same, with a few small (mostly clarifying) additions and a revamped structure.

Read the blog below for a refresher on the overall CBEST process and a quick summary of the changes.


When should CBEST take place?

CBEST can take place when a firm/financial market infrastructure (FMI):

What changed: Previously, the PRA and FCA agreed on a list of organisations to be assessed triannually rather than “regularly.”


Stakeholders

The following stakeholders take part in a CBEST assessment:

What changed: In the previous iteration of the guide, the National Cyber Security Centre (NCSC) was listed among the stakeholders involved in a CBEST assessment and featured more prominently throughout the guide.

Another change in the updated version of the CBEST guide is that there are now nine bullet points (aka responsibilities) instead of eight under the list of CG's responsibilities.

The new 9th bullet point states that CGs need to report to the regulator immediately any “significant concerns” about their project plan (like delays) and the technical execution of threat intelligence and penetration testing phases.

The final bullet point under CG’s list of responsibilities also clarifies that deliverables must be shared with the regulator unredacted (unless otherwise required). The previous iteration of the guide only said deliverables must be shared on a timely basis.

CBEST 2024 Slide01

CBEST timeline

The CBEST process is divided into four phases (more on these below). The different phases usually overlap, but the CBEST Implementation Guide has an indicative timeframe for each one.

Importantly, timeframe indication shouldn’t serve as a pre-set plan so as not to limit the assessment.

What’s changed: The updated version of the guide says the typical CBEST project duration is between 9 and 12 months (9 months in the previous version).


Risk management

It’s up to the CG to ensure the CBEST assessment is conducted in a controlled manner, identify risks, and implement mitigating actions. These mitigating actions also need to be regularly reviewed and updated.

The Penetration Testing (PT) phase specifically needs careful consideration.

The CG can temporarily stop the CBEST assessment if there are concerns over damage or potential damage to a system or if there’s disruption to an important business service (IBS).

Before the CBEST starts, the CG should complete a CBEST risk assessment.

What’s changed: The updated version specifies that the risk assessment process needs to ensure the CG is in technical and operational control during all CBEST phases.

According to the updated guide, your CBEST risk assessment needs to consider external impacts and internal dependencies and assumptions that could impact any of the phases.


CBEST process

There are four phases in a CBEST assessment process:

Phase 1

Also known as the Initiation Phase, this is when the CBEST assessment is launched.

The scope is established, and the firm starts to procure a Threat Intelligence service provider (TISP) and Penetration Testing Service Provider (PTSP).

This phase is further divided into four sub-phases:


What’s changed:
The updated version of the guide adds a new bullet point to the list of things to be discussed by the firm/FMI and the regulator in the Engagement part of phase 1, “Objectives of the CBEST.”

Slide02

Under the legal clauses section (engagement), the updated guide now also states that firms/FMIs need to ensure reports are not redacted unnecessarily.

Phase 2

The Threat Intelligence phase. Threat intelligence deliverables are produced during this phase, and threat scenarios are developed.

The Threat Intelligence phase is further divided into four sub-phases:


What’s changed:
The updated guide highlights the importance of the TISP and PTSP working together. They are both supposed to agree on the scenarios' operationalisation and describe detailed technical outcomes and activities on how threats are emulated and what security controls and capabilities are targeted.

There’s also a new bullet point under the reporting process in the Intelligence phase. This states that the final reports (Threat Intelligence Report and the Targeting Report) can’t be shared beyond the CG within the firm until the CBEST is over.

Slide03

The updated report also no longer mentions NCSC.

Phase 3

The Penetration Testing Phase. The firm’s systems and services are pen tested, and its threat intelligence maturity and detection and response abilities are put to the test.

The Penetration Testing phase is further divided into four sub-phases:

What’s changed: Nothing.

Phase 4

The Closure phase. The firm/FMI drafts and then finalises its Remediation Plan and regulators review its implementation.

The Closure phase is further divided into three sub-phases:

What’s changed: Under the Remediation sub-phase, there’s a new paragraph describing what the final Remediation Plan needs to capture.

Specifically, the firm being tested needs to assess the risk and impact of the technical findings from all phases of CBEST on its business. The plan should also cover who is responsible for remediation and what technical activities have been agreed on. Any lessons learned from CBEST should be used to help figure out if similar problems might exist in other areas that weren't tested.


Post CBEST: Thematic analysis

The regulator produces a periodic thematic report based on all the CBESTs that happened in a particular period. To improve industry-level cyber resilience, an anonymised report is shared with non-CBEST firms/FMIs. Here’s the 2023 CBEST thematic report.


CBEST Red Teaming with SECFORCE

SECFORCE is a CBEST and CREST-approved penetration testing provider.

Contact us today if you’re looking for a reliable partner to help you with your CBEST assessment.

You may also be interested in...

Why Hire a DORA Consultancy Firm?
Feb. 8, 2024

Why Hire a DORA Consultancy Firm?

Compliance expert insights into DORA (Digital Operational Resilience Act) consultancy and the benefits of hiring a dedicated consultancy partner.

See more
Post_Blog_UK
March 12, 2024

7 Facts UK Businesses Must Know About the Digital Operational Resilience Act (DORA)

Does DORA apply to financial organisations within the UK? While short answer might be "no it doesn't", the truth is compliance might be strongly advised.

See more