CBEST Threat Intelligence-Led Assessments

Implementation Guide for CBEST participants


Increasing digitalisation and technological innovation are driving change across the financial sector. While this can lead to growth through new business models, it can also carry information and cybersecurity risks.

In this dynamic environment, financial institutions are required to continuously adapt and become resilient by design. This means anticipating, withstanding and absorbing the impacts from disruptions to important business services, including from cyber-attacks.

Cyber resilience is fundamental to a firm’s operational resilience. Disruptions from cyber-attacks can impact financial stability, cause intolerable harm to consumers or other market participants, or disrupt market confidence. It is a key priority of the regulators to promote the operational and cyber resilience of firms and financial market infrastructures (FMIs) to ensure they can continue to deliver their important business services during severe (extreme for FMIs) but plausible scenarios.footnote [1]

Cyber risk is complex, attackers are motivated and dynamic, changing and evolving their techniques. Financial institutions are required to test and exercise to understand cyber threats and their potential exposure.

Since 2014, CBEST has been an important part of the Bank of England (BoE), Prudential Regulation Authority (PRA), and Financial Conduct Authority (FCA) (together, the ‘regulators’) collective supervisory toolkit to assess the cyber resilience of firms and FMIs.

CBEST is a targeted assessment that allows regulators and firms to better understand weaknesses and vulnerabilities and take remedial actions, thereby improving the resilience of systemically important firms and by extension, the wider financial system. In line with the growth of threat-led penetration testing frameworks around the world, CBEST remains a highly effective regulatory assessment tool that can be conducted on a cross-jurisdictional basis with other international regulators and frameworks.

Our CBEST thematic analysis, based on the findings of the CBESTs carried out in a relevant period, demonstrates the continued value of CBEST, particularly in highlighting the importance of building a strong foundation of cyber hygiene. CBEST reveals the value of simulating highly privileged internal attackers, such as malicious insiders and/or supply chain attacks. These scenarios represent an opportunity for a firm/FMI to test controls within the network rather than at the perimeter, where defences may be less concentrated.

This 2024 edition of the CBEST Implementation Guide builds upon our well-established framework. In accordance with our commitment to keep our supervisory approach under review, we clarify roles and responsibilities of CBEST participants, include more guidance on the documentation of remediation and consideration of third parties to important business services.

Andrew Nye
Head of PRA Sector Resilience Division, Bank of England

1: Purpose

This CBEST Implementation Guide has been developed by the Prudential Regulation Authority (PRA) for the benefit of CBEST participants which are firms and financial market infrastructures (FMIs). This guide explains the key phases, activities, deliverables and interactions involved in a CBEST assessment.

Because CBEST is a guiding framework rather than a detailed prescriptive methodology, this guide should be consulted alongside other relevant CBEST materials available from the Bank of England (see References).

Firms, FMIs or service providers can ask questions or provide feedback on the CBEST process to the PRA at: CBEST@bankofengland.co.uk.

Further information on the CBEST process is also available on the CREST website (the CBEST Accreditation and Certification body).

Copyright Notice

© 2024 Bank of England

This work is licensed under the Creative Commons Attribution 4.0 International Licence.

To view a copy of this licence, visit Creative Commons or send a letter to Creative Commons, 444 Castro Street, Suite 900, Mountain View, California, 94041, USA.

2: Introduction

Organisations that form part of the UK’s financial services sector must remain resilient to cyber-attacks. To help organisations achieve this goal, the Bank of England (BoE) has implemented the CBEST security assessment framework, which the PRA, the Financial Market Infrastructure Directorate (FMID) of the Bank of England and Financial Conduct Authority (FCA) have within their supervisory strategies.

CBEST promotes an intelligence-led penetration testing approach that mimics the actions of cyber attackers’ intent on compromising an organisation’s important business services (IBSs) and disrupting the technology assets, people and processes supporting those services.

Collaboration between all the stakeholders is at the heart of CBEST, as well as a close liaison with the relevant regulators.

CBEST is an intelligence-led security testing framework. This approach means that there is a ‘golden thread’ linking the security testing to threats to the activities of an organisation and the potential impact to the wider economy. This is summarised in Figure 1.

Figure 1: Intelligence-led ‘golden thread’

The contents of this figure are described in the text.

2.1: Structure of this document

The remainder of this document is structured as follows:

  • Section 3 provides an overview of CBEST, including a description of the relevant stakeholders, their roles and responsibilities.
  • Section 4 provides an overview of the CBEST process and indicative timelines.
  • Section 5 presents the CBEST risk management process.
  • Sections 6 (includes information on CREST accreditation process, certified individuals, and accreditation body), 7, 8 and 9 provide details of the four phases of CBEST, including their planning and project management considerations.
  • Section 10 provides information on post CBEST analysis.
  • Annexes
    • Annex A – CBEST minimum criteria; and
    • Annex B – RACI matrix.

2.2: Legal disclaimer

The information and opinions expressed in this document are for information purposes only. They are not intended to constitute legal or other professional advice and should not be relied on or treated as a substitute for specific advice relevant to particular circumstances. The sponsors and authors of this document shall accept no responsibility for any errors, omissions or misleading statements in this document, or for any loss that may arise from reliance on the information and opinions expressed within it.

3: CBEST overview

3.1: When should CBEST be carried out?

A CBEST assessment should be carried out when the firm/FMI meets one of the following criteria:

  • The firm/FMI is requested by the regulator to undertake a CBEST assessment as part of the supervisory cycle. The list of those requested to undertake a review is agreed by the PRA and FCA on a regular basis in line with any thematic focus and the supervisory strategy.
  • The firm/FMI has requested to undertake a CBEST as part of its own cyber resilience programme, when agreed in consultation with the regulator.
  • An incident or other events have occurred, which has triggered the regulator to request a CBEST in support of post incident remediation activity and validation, and consultation/agreement has been sought with the regulator.

3.2: Stakeholder and information flow

The following stakeholders are involved in a CBEST assessment:

  • Regulator;
  • Control Group of the participant firm/FMI;
  • Threat Intelligence service provider (TISP); and
  • Penetration Testing service provider (PTSP).

More details on the key actions and related responsibilities are described in the RACI matrix in Annex B. The flows of information between the above stakeholders are summarised in Figure 2.

Figure 2: Stakeholders and information flow

The contents of this figure are described in the text.

3.2.1: The regulator

CBEST is a regulator-led assessment; regulators provide guidance and oversight throughout the assessment, verifying the exercise runs in accordance with the CBEST assessment framework. For simplicity, the term ‘regulator’ will be used in this document even where there are multiple regulatory bodies involved in the assessment.

CBEST assessment framework is part of the PRA, FCA and FMID supervisory approaches. For cross-jurisdictional CBESTs, UK regulators will collaborate with regulatory bodies from other countries as agreed at the beginning of the assessment.

Regulatory teams will include both supervisory and cyber specialist personnel. The regulator is responsible for using the deliverables from the CBEST assessment to form a view of the participant’s cyber security posture. They will monitor the management of the CBEST process, and the status of risk mitigation activities required to maintain secrecy.

The regulator’s responsibilities also include:

  • exercising oversight of CBEST outcomes and remediation plans throughout the entire process (eg planning, execution and review);
  • receiving and acting upon immediate notifications of any identified issues that would be relevant to their regulatory function; and
  • reviewing the CBEST assessment findings in order to produce sector specific thematic reports.

3.2.2: Control Group (CG)

The CBEST participant is the firm/FMI conducting the CBEST assessment. The firm/FMI will need to select CG members, this is a team responsible for the management and firm oversight of the CBEST assessment. There is an executive/sponsor of the firm/FMI’s CBEST assessment, responsible and accountable for the overall delivery of the CBEST assessment (refer to RACI for further information).

Control Group Co-ordinator (CGC)

CG must appoint a CGC who will co-ordinate all the test activities for the firm/FMI. The CGC is responsible for the CG observance responsibilities, the governance, quality assurance (QA), project management of CBEST and stakeholder co-ordination. The CGC must seek regulators’ approval for any addition to or removal from the CG list.

CG composition

The CG should comprise a select number of senior individuals at the top of the security incident escalation chain. The CG should only include those who are strictly needed to:

  • provide essential information and knowledge to implement CBEST (eg, on IBSs, asset, processes, etc) usually only one person per system, which is being tested as part of the CBEST, to provide subject matter expertise; and
  • ensure an effective CBEST risk management process is in place. CG members should have authority to take relevant decisions, but membership is not necessarily limited to roles such as the Chief Operating Officer (COO), Chief Information Officer (CIO), Chief Technology Officer (CTO), Chief Information Security Officer (CISO).

The number of members of the CG will depend on the nature of the firm/FMI. CG membership should be as limited as possible, and information shared only on a ‘need to know’ basis.

It is also possible that third parties need to be part of the CG (eg where important systems underpinning IBS are outsourced). In this case, the firm should engage with the third party during the early stages of the project and take all the required actions to ensure the integrity of the assessment. For further details see Supplementary Guidance on Outsourcing and Third-Party Scenarios in CBEST (CBEST (2024k)).

CG responsibilities

CBEST RACI matrix in Annex B sets out the responsibilities for the key stakeholders (including CBEST executive/sponsor and CG) and within the CBEST framework, using the Responsible (R), Accountable (A), Consulted (C) and Informed (I) convention.

CG must ensure that:

  • all CBEST minimum criteria (Annex A – CBEST minimum criteria) and requirements described in the CBEST Implementation Guide are met during the implementation of the assessment;
  • an overall project plan is defined during the Initiation phase and systematically updated during the project.
  • the CBEST assessment is conducted in a risk-controlled manner, implementing a risk management process to identify, assess and mitigate risks related to CBEST activity throughout all phases. The CG are recommended to use the Project Initiation Document (PID), including risk management plan, to keep control of the CBEST project plan during the execution of its phases (refer to Section 5);
  • the secrecy of the CBEST assessment is preserved throughout its duration. If secrecy is compromised, or there is a suspicion that it has been, the CG must report this immediately to the regulator. This includes ensuring that members of the CG are the only staff with knowledge of the CBEST;
  • the scope of the CBEST assessment is representative of the firm/FMI’s IBSs. The key systems underpinning the IBSs and compromise actions in scope of CBEST are identified by mean of impact assessment (more details are in Section 6.3);
  • the co-ordination, communication and engagement with and between all external parties (TISP, PTSP, regulator, etc) is effective;
  • the TISP and PTSP engaged for the assessment are accredited CBEST service providers (refer to Section 6.4.1);
  • any significant concerns in relation to the project plan (eg delays) and the technical execution of Threat Intelligence (TI) and Penetration Testing (PT) phases are reported to the regulator immediately; and
  • deliverables are produced in line with CBEST guidelines/templates and shared with the regulator on a timely and unredacted (unless otherwise required) basis.

3.2.3: Threat Intelligence service provider (TISP)

TISP is an independent company, hired by the firm/FMI to plan and execute a threat intelligence analysis of the firm/FMI.

The TISP must be CBEST accredited (more details in Section 6.4.1). The TISP will implement the TI analysis following the best practice described in the CBEST Services Assessment Guide (CBEST (2024b)).

At a minimum, the TISP should complete the following tasks to satisfy the CBEST minimum criteria:

  • provide an external threat intelligence assessment of the firm/FMI, which features evidentially supported profiles of cyber threat actors that could be reasonably expected to potentially target the firm/FMI;
  • provide information that potential threat actors could uncover about the IBSs and key systems identified as within the CBEST scope;
  • create threat scenarios based on the outcomes of the targeting assessment and threat intelligence;
  • complete the Threat Intelligence Maturity Assessment of the firm/FMI’s TI function based on the CBEST guidelines;
  • provide further intelligence and direction during the PT phase and input to the final PT Report, as appropriate; and
  • feedback on the CBEST execution during the Debrief session with the regulator.

During the CBEST engagement, the TISP should work collaboratively with both the firm/FMI and the PTSP. This should include:

  • ensuring the TI analysis is aligned to the PT plan during the TI phase; and
  • continuing to provide further intelligence that may enhance implementation of the scenarios, during the PT phase.

The primary day-to-day contact within the TI/PTSPs are the Project Managers, the CREST Certified Threat Intelligence Manager (CCTIM) (CREST (2024a)).

3.2.4: Penetration Test service provider (PTSP)

PTSP is an independent company, hired by the firm/FMI to plan and execute the penetration testing activity based on the threat scenarios identified during the TI phase. The PTSP must be CBEST accredited (more details in Section 6.4.1).

At a minimum, the PTSP should complete the following tasks to satisfy the CBEST minimum criteria:

  • design and plan the PT execution in line with the target actions agreed in the scope and the threat scenarios identified in the TI phase;
  • agree a PT risk management process with the firm/FMI in order to run a controlled assessment and minimised the risks inherent in a CBEST assessment;
  • execute the threat scenarios identified by the TISP and approved by the firm/FMI, using an ethical red teaming testing methodology;
  • provide regular updates on the key target actions implemented and the results during the PT phase;
  • complete the Detection & Response (D&R) Capability Assessment (CBEST (2024i)) of the firm/FMI based on the CBEST guidelines;
  • draft the PT Findings Report in line with the CBEST guidelines; and
  • provide feedback on the CBEST execution during the Debrief session with the regulator.

During the CBEST engagement, PTSP should work collaboratively with both the firm/FMI and the TISP. This will include:

  • providing comments during the TI phase to improve the analysis and ensure that the proposed threat scenarios will be executable during the PT phase; and
  • adapting the assessment by integrating further intelligence details provided by the TISP during the PT phase.

The primary points of day-to-day contact within the PTSPs are the Project Managers and the CREST Certified Simulated Attack Manager (CCSAM) (CREST (2024b)).

3.2.5: National Cyber Security Centre (NCSC) Early Warning Service

During Scoping, the regulator will check if the firm/FMI is registered to the NCSC Early Warning Service (EWS) and ask for confirmation that the firm/FMI’s data are up to date in the NCSC system. EWS is the NCSC’s free service to organisations, designed to inform firms/FMIs of threats against their networks. Organisations that sign up for the NCSC’s EWS will receive notifications from UK-focused threat intelligence feeds to support their cyber defence. These feeds include multiple feeds from the NCSC – these are privileged feeds, unique to this service and unavailable elsewhere.

4: CBEST process

The CBEST assessment process consists of four phases of work, as shown in Figure 3.

  • Phase 1: Initiation phase during which the CBEST assessment is launched, the scope is established and TI/PTSPs are procured;
  • Phase 2: Threat Intelligence phase during which the core threat intelligence deliverables are produced, threat scenarios are developed into a draft Penetration Test Plan and PTSP carries out the assessment;
  • Phase 3: Penetration Testing phase during which an intelligence-led Penetration Test against the target systems and services that underpin each in-scope IBS is planned, executed, and reviewed. The firm’s Threat Intelligence maturity, and Detection & Response capabilities are assessed;
  • Phase 4: Closure phase during which the firm/FMI’s Remediation Plan is finalised, the TI/PTSPs are debriefed, and the regulator supervises the execution of the Remediation Plan by the firm/FMI.

Post CBEST, the regulator analyses CBEST assessments and compiles a periodic thematic report based on the thematic findings of all the CBESTs carried out in the relevant period (Section 10).

Figure 3: CBEST phases