The EU’s Digital Operational Resilience Act (DORA) now requires many financial services businesses to periodically test their cybersecurity with threat-led penetration testing (TLPT). An exceptionally rigorous and realistic attack simulation performed on live operational systems, TLPT can transform a firm’s cybersecurity by revealing critical insights and previously unseen weak spots.

What is TLPT, how is it different from traditional pen testing, and what companies should conduct it? This article overviews what’s most important to know about TLPT.

Key takeaways

• TLPT seeks to realistically evaluate digital operational resilience in the face of actual attacks, not just identify technical vulnerabilities.
• Unlike typical pen testing or vulnerability assessments, TLPT relies on threat intelligence specific to an organization and its actual risks.
• TLPT engagements are generally much longer and more complex than traditional penetration testing, with minimal client-side awareness of the testing.
• DORA requires TLPT every three years for most financial firms.
• Internal teams can conduct TLPT in many cases, subject to several limitations.
• DORA and other EU sources list requirements for TLPT providers.

What is threat-led penetration testing (TLPT)?

Similar to Red Team drills, TLPT evaluates how the most relevant current threats could impact a financial company’s most critical operational functions. Its goal is to accurately evaluate digital operational resilience in the face of real-world hackers seeking to leverage your unique vulnerabilities for their ends.

A key difference between TLPT and traditional pen testing is its scope and complexity. While typical pen tests focus on one part of your environment, such as the network, TLPT covers all attack surface elements: digital (including production systems, cloud environments, and third-party services), physical/premises, and human (people and processes). Testers attempt to breach the target by any means available: physical intrusion, social engineering, cyber assaults, etc.

Another unique aspect of TLPT is its duration. TLPT engagements often go on for several months, with as few stakeholders as possible being aware of the testing.

How frequently is TLPT required? According to DORA, “Financial entities … shall carry out at least every three years advanced testing by means of TLPT. Based on the risk profile of the financial entity, and considering operational circumstances, the competent authority may, where necessary, request the financial entity to reduce or increase this frequency.”

Upon completion, the financial org must submit a summary of the TLPT process and results to the competent authorities. If all is well, the authorities issue an attestation to inform other stakeholders.

Do we need to hire a third party for TLPT?

DORA permits in-house teams to conduct TLPT, with these caveats:

• Any threat intelligence used for the TLPT must come from an independent source.
• Every third TLPT efforts must be outsourced.
• If the Red Team (attacking team) consists of a mix of in-house staff and external testers, this scenario is considered an internal test.
• Credit institutions classified as significant must always use external testers for their TLPT under DORA.

What is the TIBER-EU framework and how does it relate to TLPT and DORA?

While DORA specifies the guidelines for how and when to conduct TLPT, the evolving TIBER-EU framework is a reference source for operational requirements and technical standards. This includes the scope of testing, appropriate methodologies for each testing phase, and requirements applicable to testing service providers.

While the longer-term goal is to align DORA and TIBER-EU, there are currently some differences. These include:

• TIBER-EU does not allow internal TLPT efforts, while DORA does (with caveats).
• DORA requires Purple Teaming collaboration, including training an internal Blue Team, as part of the TLPT engagement. TIBER-EU strongly recommends but does not require Purple Teaming.

Should my company conduct TLPT?

In practice, many businesses subject to DORA will be required to perform TLPT for compliance, except for some smaller firms. Even if not mandated by DORA, the competitive and risk management benefits of TLPT make it an increasingly strategic choice for many service providers in the financial industry.

Where questions or concerns arise, the competent authorities are responsible for deciding which financial entities subject to DORA must conduct TLPT. Key factors include:

• The importance of an entity’s services to the EU financial sector.
• The entity’s level of IT and cybersecurity maturity.
• Potential concerns about financial stability associated with a data breach.

Entities that play a “systemic role” in a “major sub-sector” of the financial sector are likely required to perform TLPT. These classes of entities include:

• Credit institutions identified as “global systemically important institutions” per EU Parliament laws.
• Payment and electronic money institutions whose total transaction value for each of the prior two years exceeded EUR 120 billion.
• Central securities depositories.
• Central counterparties.
• Trading venues utilizing an electronic trading system that meet one or more specific trading criteria.
• Insurance and reinsurance firms subject to a range of specific criteria.

How can TLPT benefit my business?

While TLPT may be required for DORA compliance, it has significant strategic benefits for enhancing business resilience, cybersecurity, and stakeholder peace of mind. Firms that leverage TLPT stand a better chance of proactively mitigating threats and reducing cyber risk to their operations, while demonstrating their advanced capabilities to clients, partners, regulators, investors, etc.

Some of the benefits of TLPT for companies in all sectors include:

• Highly realistic threat simulation based on actual tactics that accurately mimics a real cyber assault.
• Targeted assessment of specific risks and threats aimed at your business, yielding more actionable insights versus a generalized approach.
• Elevated incident response capabilities based on detailed feedback and gap identification in your current cybersecurity program.
• Streamlined regulatory compliance for entities subject to DORA or whose customers are subject to DORA.
• Better information to prioritize cybersecurity and business continuity investments.
• Competitive differentiation for service providers in regulated industries.

What to look for in a TLPT provider

TLPT is an emerging requirement that is relatively new to both regulated companies and potential service providers. DORA’s Article 27 lists these requirements for testers authorized to perform TLPT:

• Be of the highest suitability and reputability;
• Possess technical and organizational capabilities and demonstrate specific expertise in threat intelligence, penetration testing and red team testing;
• Be certified by an accreditation body in a Member State or adhere to formal codes of conduct or ethical frameworks;
• Provide an independent assurance, or an audit report, in relation to the sound management of risks associated with the carrying out of TLPT, including the due protection of the financial entity’s confidential information and redress for the business risks of the financial entity;
• Be duly and fully covered by relevant professional indemnity insurances, including against risks of misconduct and negligence.

Other requirements or capabilities may also apply. Importantly, financial businesses leveraging TLPT need to guarantee both technologically and contractually that their production data and systems are safe from any external testers’ missteps or misconduct.

What’s next?

For more guidance on this topic, listen to Episode 154 of The Virtual CISO Podcast with guest Dejan Kosutic, CEO at Advisera.