Preparing for DORA TLPTs: A Guide for Financial Sector Companies
EU’s Digital Operational Resilience Act (DORA) mandates penetration testing or Digital Operational Resilience Testing (DORT) for all financial entities. The entities must have a formal risk-based program in place to ensure all critical assets are regularly tested, and also test aspects outside of the typical pentest realm, for instance availability.
In addition, conducting Threat-Led Penetration Testing (TLPT) is required at least every third year to ensure financial organisations’ defenses are robust and resilient. TLPT is essentially structured red team tests for the financial sector, but let us guide you through the matter in this guide for financial sector companies on how to prepare for DORA TLPTs effectively.
Not all financial entities are required to perform *TLPT, but performing TLPT (sometimes also referred to as a “red team test” or a TIBER test) regularly is highly recommended for all financial entities, as they help gage the efficiency of current security controls and the organisation’s ability to prevent, detect and respond to cyberattacks. This greatly reduces the financial risk of a cyberattack, and can help you check that you are getting what you are paying for from your MSSP or SOC.
(*Credit institutions, Payment institutions, Electronic money institutions, Central securities depositories, Central counterparties, Trading venues, Insurance and reinsurance undertakings over a certain size is will be required by the regulator to perform TLPT).
Steps to Take on How to Prepare for DORA TLPTs
1. Understand the Requirements
Familiarise yourself with DORA regulations and specific TLPT requirements (Article 26-27). This includes understanding the scope, objectives, and expected outcomes of the tests, and how the regulator will mandate the tests. Pay attention to Article 2 in the Regulatory Technical Standard (RTS) that specifies the size thresholds for mandatory testing.
2. Establish a Baseline
Conduct an initial assessment of your current cybersecurity posture. Identify key assets, potential vulnerabilities, and existing controls. Conduct a light-weight red team exercise to help you understand your weak spots and exposure.
3. Develop a Testing Plan
Create a detailed TLPT plan that includes the scope of testing, timelines, and resources required. Ensure the plan aligns with DORA’s guidelines and your organisation’s risk management strategy. TIBER-EU should be used as a framework for test execution.
4. Engage Qualified Testers
Partner with experienced and accredited ethical hackers at Advisense to perform TLPTs. DORA strongly suggests using external testers, and there are strict requirements on the tester’s experience and qualifications. Look for professionals with a proven track record in the financial sector and deep knowledge of advanced attack techniques. In many countries, the central banks have taken upon themselves to be a coordinating entity for TLPT, contact them for support.
5. Execute the test
A typical TLPT red team test lasts at a minimum 12 weeks in calendar time. Plan ahead, and ensure you have the right resources in place in your blue and white teams.
6. Analyse and Report
After each test, thoroughly analyze the findings. Document strengths and weaknesses, assess the impact, and prioritise remediation efforts. Ensure transparent reporting to stakeholders and regulatory bodies.
7. Continuous Improvement
Use insights from TLPTs to enhance your cybersecurity measures continuously. Update your security policies, implement new controls, and provide training to your staff.
When and How Often?
– Initial Assessment: As soon as possible to establish a baseline.
– Red teaming: At least annually, or more frequently depending on your risk profile.
– TLPT: As mandated by the regulator.
– Post-Incident Testing: After any significant security incident to evaluate and strengthen defenses.
– Continuous Monitoring: Ongoing efforts to monitor and improve based on emerging threats and regulatory updates.
Creating a Plan
1. Set Clear Objectives: Define what you aim to achieve with TLPTs, focusing on critical assets and potential threats.
2. Allocate Resources: Ensure you have the necessary budget, tools, and skilled personnel to consume the outcome (reports) of TLPTs.
3. Engage Stakeholders: Involve key stakeholders from IT, security, and business units to ensure comprehensive planning and support.
4. Develop a Timeline: Create a detailed timeline that outlines all phases of TLPTs, from planning and execution to analysis and reporting.
5. Partner with Experts: Work with reputable TLPT service providers, such as Advisense, who understand the financial sector’s unique challenges and regulatory requirements.
Our Expertise
At Advisense, we specialise in providing top-notch TLPT services tailored to the financial sector. We are compliant with all requirements put on external test teams in the RTS Article 5.
Our team of ethical hackers boasts extensive experience and a deep understanding of the regulatory landscape in Norway, Sweden, Belgium, and Lithuania. We are well-connected and recognized in the industry for delivering exceptional cybersecurity services.
Our approach includes:
– Comprehensive Assessments: We perform thorough assessments to identify vulnerabilities and provide actionable insights.
– Tailored Solutions: Our TLPTs are customised to meet your specific needs and regulatory requirements.
– Expert Guidance: We offer ongoing support and guidance to help you strengthen your cybersecurity posture continuously.
Reach out to us to learn more about how we can help you prepare for DORA TLPTs and protect your financial institution from emerging threats. Let’s work together to ensure your organization’s resilience and security.