The evolution of regulatory assessments: building cyber and operational resilience

Apostolos Mastoris, Principal Consultant
February, 2021

Regulatory assessments such as CBEST, TBEST, TIBER, iCAST, and CORIE, are more than just tick box exercises to remain compliant. By assessing organizations in realistic, threat-intelligence-led attack simulations, they present an opportunity to build defensive capability and minimize the disruption to core business services from a cyber attack.

In critical industries where severe disruption to business continuity can pose a broader risk to national or international infrastructure, regulators seek to safeguard people, businesses, and whole industries. One measure of this is cyber resilience, or an organization’s ability to prevent cyber attacks and minimize disruption to core business services should they occur.  

Regulatory frameworks measure organizations’ cyber resilience by mandating controlled and standardized security testing. They provide an opportunity for organizations to develop new means to detect and stop more attacks with greater efficiency. Those that embrace this opportunity can realize the business benefits of greater cyber resilience and be able to execute their strategies with less risk of operational disruption. 

Regulatory frameworks currently apply to financial institutions, telecoms providers, governmental bodies, and the civil nuclear sector. It is expected that yet more critical industries will adopt them. This guide is designed to help such organizations maximize the value they gain from regulatory assessment by:

  • Showing how they can use the output of regulatory assessment to drive improvements in defensive capability and cyber resilience
  • Explaining the activities they may undertake to build defensive capability before and after a regulator-led assessment
  • Demonstrating how regulators themselves apply lessons learned from assessments to develop their testing frameworks in line with evolving attacker techniques and motivations
  • Predicting how regulatory assessments will continue to evolve in the future to drive further cyber resilience in critical industries