Combating cybercrime: sharing information and intelligence as the first line of defence
To counter cyber risks in the financial sector, financial infrastructures, public authorities, banks and other key players, such as critical service providers, should have effective cyber threat intelligence processes in place. All potentially affected entities should actively participate in information and intelligence sharing arrangements and collaborate with trusted stakeholders within the industry.
Cyber threats are borderless and the capabilities of the adversaries are constantly evolving, readily scalable and increasingly sophisticated, threatening to disrupt interconnected global financial systems. Threat actors are highly motivated, can be persistent, and use a variety of tactics, techniques and procedures to compromise systems, disrupt services, commit financial fraud, and expose or steal intellectual property and other sensitive information.
Exchanging cyber information and intelligence among peers within a trusted community that includes major financial infrastructures allows members of that community to leverage their collective knowledge, experience and capabilities to address the threats they may face. It enables them to make informed decisions about their defensive capabilities, threat detection techniques and mitigation strategies. By sharing cyber information and intelligence, financial infrastructures act in the public interest to support the safe and sound operation of the entire financial system.
What is the Cyber Information and Intelligence Sharing Initiative (CIISI-EU)?
To facilitate the systematic and structured sharing of vital strategic, operational and tactical cyber information and intelligence, the members of the Euro Cyber Resilience Board for pan-European Financial Infrastructures (ECRB) created the Cyber Information and Intelligence Sharing Initiative (CIISI-EU). This is a multilateral initiative which brings together a community of public and private entities.
Cyber information and best practices are shared among the members via technical platforms, calls and in-person meetings based on commonly agreed taxonomies and sharing conventions. CIISI-EU comprises a number of integrated core building blocks, which are bound together by a common CIISI-EU Terms of Reference and Community Rulebook to ensure that members can collaborate in a coherent and effective manner.
The core objectives of CIISI-EU are to protect the financial system by preventing, detecting and responding to cyberattacks and to raise awareness of cybersecurity threats.
The CIISI-EU community comprises pan-European financial infrastructures, central banks (in their operational capacity), critical service providers, the European Union Agency for Cyber Security (ENISA) and Europol. Although the CIISI-EU community is a closed community, the goal is that the philosophy and design of this initiative can be a source of inspiration for other communities and stakeholders, both within and outside the financial sector and within and outside Europe.
CIISI-EU is a market-driven initiative, driven by the market for the market, with the ECB performing a catalyst function. Authorities in their capacity as regulators, overseers and/or supervisors are not part of the CIISI-EU community and regulatory reporting on cyber incidents and data breaches is outside the scope of the information and intelligence sharing within the CIISI-EU community.
Documentation and guidance
The CIISI-EU initiative is further explained in a set of documents that provide insights into the main building blocks, the protocols used and the roles and responsibilities of the respective CIISI-EU members. They also provide an overview of the different stages of the initiative, i.e. design, implementation and operationalisation.
The purpose of these documents is to provide overarching guidance, structure and inspiration to other entities, communities, sectors and jurisdictions, who may consider building their own cyber information and intelligence sharing initiative, in a flexible manner that suits their own specificities. CIISI-EU is an evolving initiative, and will be enhanced over time as its members foster trust and collaboration and share common experiences.
CIISI-EU: from theory to practice
The target operating model of CIISI-EU comprises a number of core building blocks:
- Threat intelligence (TI) feeds: Community members keep their existing TI feeds. If information from these sources is relevant for the full community, members can share it voluntarily and on a best efforts basis to the extent legally and contractually possible.
- Central shared platform: An open-source threat intelligence platform is used for sharing cyber security information. The platform ensures that members operate as a closed and trusted group. For CIISI-EU, the platform selected for sharing cyber security information is MISP, which is funded by the Computer Incident Response Center Luxembourg (CIRCL) and the European Union.
- Information and intelligence sharing: Community members elect what information or intelligence is important enough to warrant disseminating on the shared platform.
- Strategic analysis: The third-party cyber threat intelligence provider will have access to the centralised platform and will add value through the synthesis of strategic analysis based on the collective tactical and operational intelligence being shared on the platform and based on its own knowledge of the cybersecurity threat landscape.
- Reporting: The third-party cyber threat intelligence provider will produce strategic intelligence, monthly dashboards and bi-annual reports, the latter focused at board level. The strategic reports will typically cover monthly threat assessments, strategic intelligence updates by threat actor and significant global cyber events of relevance to the financial system.
- Alert notifications: A community alert mechanism will be created. The notifications will alert the community to new information and intelligence placed on the platform which may be critical to their operations.
- Trusted group calls/meetings: A core element of the initiative is the trusted group calls and in-person meetings. Calls and meetings will be held on a regular basis with community members and the third-party cyber threat intelligence provider to share intelligence and foster trust within the community.
If you have any further queries about CIISI-EU, you may contact the ECRB secretariat by email at ECRB@ecb.europa.eu
This initiative brings together, among others, the following central banks, clearing houses, stock exchanges, payment system providers and law enforcement agencies:
- Banca d’Italia
- Banco de España
- Banque centrale du Luxembourg
- Banque de France
- Bolsas Mercados Españoles (BME)
- CLS Bank International
- Danmarks Nationalbank
- De Nederlandsche Bank
- Deutsche Börse Group
- Deutsche Bundesbank
- EBA Clearing
- European Central Bank
- European Central Counterparty N.V.
- Krajowy Depozyt Papierów Wartościowych/the Central Securities Depository of Poland
- London Stock Exchange Group (on behalf of LCH and Monte Titoli)
- Mastercard Europe SA
- Nasdaq Nordic (on behalf of Nasdaq Clearing and Nordic Exchanges)
- Nationale Bank van België/Banque nationale de Belgique
- TARGET Services
- Visa Europe