- Kateřina Kubíková
The Digital Operational Resilience Act (DORA) will affect the penetration testing of financial institutions. But why is this important for their cybersecurity?
What is threat-based penetration testing?
The goal of penetration testing is to prevent actual attacks by detecting and resolving security vulnerabilities in the normal course of operations, thereby reducing the risk to the financial entity. However, the testers themselves could exploit the financial entity's vulnerabilities and gain access to the finances quite easily. That is why DORA comes with strict conditions that testers must meet from January 2025.
Threat-based penetration testing is a control process in which security experts simulate the behavior of real cyber threats (called a red team) to identify and eliminate potential weaknesses in an information system. Penetration testing thus helps strengthen companies' cybersecurity and improves preparedness for potential real-world attacks.
So how does it work?
A red team is typically a group of cybersecurity experts who simulate attackers to identify weaknesses in an organization’s security measures. The attack simulation is then a control test where the red team mimics the behavior of real attackers so that the organization can identify and fix security flaws. In this way, the organization can better understand what weaknesses could be exploited by real attackers and take measures to address them.
For example, if one of the organization's key assets is a customer database, the red team could simulate an attack that attempts to gain unauthorized access to that database.
Who will have to perform threat-based penetration testing
Only financial entities identified for advanced digital resilience testingwill be required to conduct threat-based penetration testing under DORA, and therefore this should be a smaller percentage of financial institutions However, these entities will be required to conduct penetration testing at least once every three years.
In addition, financial institutions must ensure that contracts with penetration testing vendors include provisions for the appropriate treatment of penetration test results. This is to ensure that any manipulation of data (including processing, storage, aggregation, evaluation, sharing or destruction) does not put the financial entity at risk.
Requirements for penetration testers
The DORA regulation aims to protect financial institutions from having their vulnerabilities exploited by penetration testers. For this reason, it explicitly requires that only entities that meet strict conditions should perform testing:
- Good reputation in the market – they are the most suitable and have the best reputation.
- Capability and knowledge – their teams must have sufficient capability and knowledge, including red team testing, and they must demonstrate this.
- Certification and codes – they are certified by an accreditation body in the Member State or adhere to formal codes of conduct or ethical frameworks.
- Independent audit – submission of confirmation from an independent audit assessing the risk management of penetration testing and the security of confidential information.
- Professional indemnity insurance – testers must have sufficient insurance to cover any damage caused during testing.
If a financial institution uses its own teams (so-called internal entities)for penetration testing, they will have to meet additional criteria:
Approval from a competent authority – this use must be approved by the appropriate authority or public body designated in accordance with DORA.
Ensuring sufficient resources and avoiding conflicts of interest – the competent authority must verify that the financial entity has allocated sufficient resources and ensured that there are no conflicts of interest during the design and implementation of the test.
External provider of operational information – the provider of threat information must be an external entity that is not part of the financial entity.
In conclusion
Penetration testers have access to financial institutions’ technology; to avoid cybersecurity breaches by the testers themselves, DORA sets out criteria for them to meet.
Certification of penetration testers under DORA is thus a key element in protecting financial institutions from modern cyber threats. It requires qualified entities with a good reputation, "red team“ capabilities and certification from accreditation bodies.
Independent audits and professional indemnity insurance provide an additional level of assurance in the processes of detecting security weaknesses. These conditions are essential to strengthen the digital resilience of the financial sector in today's cyber space.
