CBEST Penetration Testing

CBEST Penetration Testing

KPMG delivers bespoke, intelligence-led cyber security tests with actionable findings which enable our clients to improve their defence capabilities.

Matthew Martindale - Partner, Cyber Security in Financial Services - KPMG UK

Partner, Cyber Security in Financial Services

KPMG in the UK


Also on home.kpmg

CBEST Penetration Testing - men on camels

1. What exactly is CBEST?  

2. Why top 100 FCA regulated firms should be thinking about CBEST?  

3. How does CBEST link to cyber-operational resilience? 

4. What is the CBEST process? 

5. Common CBEST myths – debunked 

6. How can firms be proactive about CBEST?

7. What sets KPMG apart? 

1. What exactly is CBEST? 

CBEST is intelligence led and bespoke security testing – a “red team” conducted via a regulator driven formal process. CBEST is not a simple ‘pass’ or ‘fail’ type test – rather it is a method of gathering hard and objective data points on firms’ cyber defence capability which the regulator can then use to form its opinion and track maturity improvement. 

2. Why top 100 FCA regulated firms should be thinking about CBEST? 

Like it or not, CBEST is on the regulatory horizon of all the top 100 FCA regulated firms. Firms need to show that they have adequate capability to withstand the threats they face>To most firms, this means sophisticated organised cyber-crime. CBEST is inevitable and it makes sense to get ahead of the regulatory curve – no one wants someone else to drive the assessment and remediation timetable. 

3. How does CBEST link to cyber-operational resilience? 

Operational Resilience has become a key area of focus for both the PRA and the FCA. It follows the introduction of the Chief Operations Function (i.e. SMF24) which is responsible for managing and ensuring the operational continuity and resilience of the internal operations. This includes the firms systems and technology. 

As part of cyber-operational resilience, firms must consider every aspect of business services which are connected to corporate networks; from staff to third party suppliers. This focus needs to be looked at through an ‘operational resilience’ lens, with a view to protect both financial stability and consumers when, not if, the firm comes under cyber-attack. 

The scope identification for CBEST involves the most critical systems which, if disrupted or inappropriately accessed, would have a critical business impact. Firms which are unable to readily identify their critical systems are unlikely to have done enough work on operational resilience. 

A CBEST assessment is a good tool to test operational resilience – firms that can withstand a simulated, targeted attack are more likely to be able to handle other disruptions such as general IT failures. 

4. What is the CBEST process? 

The process has three key phases: 

i. Threat assessment. A threat intelligence provider will provide a broad overview of the threat landscape specific to the firm. This will include extensive data and metadata artefacts from a variety of sources. At the end of this stage the firm will be provided with a threat intelligence report. 

ii. Penetration testing. A penetration testing provider will execute a cyber-attack chain end-to-end, so that the firm can understand at which points attackers may be detected and/or stopped. This will model actual threats faced by the firm. At the end of this stage the firm will be provided with a penetration testing report (detailing the approach taken, the testing results, and any areas for improvement) and a current maturity report (to generate KPIs for the firm and the regulator). 

iii. Improvement roadmap development and execution. The firm may wish to develop and execute a roadmap to improve your cyber security posture. The firm will be provided with an improvement plan report which includes responsibilities, agreed actions and timelines. 

5. Common CBEST myths – debunked 

CBEST is just another penetration test. CBEST is intelligence led, bespoke and adapts to the reality of changing threats. By tailoring the approach, a more realistic understanding of an entity’s capability is developed than traditional penetration testing. Its foundation on current intelligence provided by Government and commercial experts allows CBEST to remain up-to-date with the threats it’s simulating. 

CBEST is unsafe. Firms lacking experience of comprehensive “red teaming” are often concerned about the operational impact of testing. All CBEST security testing and threat intelligence providers are evaluated by Bank of England and Council for Registered Ethical Security Testers (CREST) – the main security testing industry body. These accreditation standards include audits of CBEST testing providers, as well as the signing of a Code of Conduct for all participating testing providers. 

A significant part of preparatory work is to design a robust testing and contingency plan to minimise any adverse impact. Communications channels are kept open during the entire testing phase and mitigations are documented for any serious concerns. While this does not guarantee that there will be no disruptions, it comes very close to it. 

Third parties are out of scope. The regulators’ view is that firms cannot “outsource” risk to third parties such as IT managed service providers (‘MSPs’). If MSPs provide materially significant services, their organisation can fall into the scope of CBEST as well. This is a thorny issue with MSPs who are concerned both about the impact on their other customers and that they will have to remediate any findings at their own cost. It is prudent to review the robustness of the “right to audit” clauses with MSPs. 

It’s in public cloud, we can’t possibly test it. The largest public cloud providers – Amazon Web Services and Microsoft Azure are of particular interest to regulators due to concentration risk. There are limited opportunities for firms to independently audit these cloud providers – it is often a “rely on our compliance programs or take your business elsewhere” type of arrangement. Therefore, regulators conduct special reviews of these cloud providers. However, anything that is in firms’ control – all the service configurations and virtual computers in the cloud – fall fully within scope of testing. 

It is not a board level agenda item. The systems in scope for CBEST and general rules of engagement will have to have a Chief Operations Senior Management Function (SMF24) sign-off. This means that firms’ senior managers will have to be comfortable that all relevant critical business processes and systems are in scope and that their team will engage appropriately with the process. 

CBEST is just another piece of regulation to comply with. By its nature, CBEST provides organisations with a bespoke insight into the threats they face. We’re seeing many of our clients expressing a desire to get ahead of the curve and undergo a CBEST in advance of the regulator instructing them to do so. 

6. How can firms be proactive about CBEST? 

There are several things that you can do to prepare for a CBEST: 

i. Engage your firm leadership. You need to engage your firm leadership to ensure buy-in to the overall cyber-resilience strategy and direction. 

ii. Analyse your critical assets and threats. Perform your own assessment of which assets are business-critical and which key threats you face. 

iii. Assess your security posture. There is no good business reason to wait to find out what will be the likely results of a CBEST test. A CBEST type assessment, a review of cyber defence capabilities, and focused cyber-maturity assessments are all good tools to gain insight into key control gaps. 

iv. Engage your managed service providers and third parties. Material managed service providers and third parties are likely to fall into scope of a CBEST assessment; having conversations and re-examining contracts early will give enough time to address concerns. 

7. What sets KPMG apart? 

Full breadth of services. KPMG’s service offering will help you across the entirety of your security maturity journey - we help clients identify issues, fix issues and help run security if required. Engage us before regulators ask for CBEST testing to get ahead of the curve. 

We know how to execute. KPMG works closely with threat intelligence providers, the National Cyber Security Centre and clients to develop threat scenarios that are realistic, current and actionable. 

We know the threat actors. We can incorporate and use the same tools, techniques and procedures (down to running the same commands) as Advanced Persistent Threat groups, allowing us to develop scenarios that reflect real world threat actors. We can therefore push the boundaries of security testing. 

We know financial services. Our financial services experience has given us intimate familiarity with the UK finance system including, CHAPS, BACS, Faster Payments and SWIFT along with the mainframes and message queues that support them. 

Quality of reporting. KPMG reports clear business issues and recommendations which are practical and actionable. 

© 2021 KPMG LLP a UK limited liability partnership and a member firm of the KPMG global organisation of independent member firms affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved.

For more detail about the structure of the KPMG global organisation please visit https://home.kpmg/governance.

Connect with us


Want to do business with KPMG?


loading image Request for proposal

Save, Curate and Share

Save what resonates, curate a library of information, and share content with your network of contacts.

Sign up today