Recital 56

Regular security testing of ICT systems and staff


In order to achieve a high level of digital operational resiliencethe ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions, and in line with both the relevant international standards (e.g. the G7 Fundamental Elements for Threat-Led Penetration Testinga framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems) and with the frameworks applied in the Union, such as the TIBER-EU, financial entitiesas defined in Article 2, points (a) to (t) should regularly test their ICT systems and staff having ICT-related responsibilities with regard to the effectiveness of their preventive, detection, response and recovery capabilities, to uncover and address potential ICT vulnerabilitiesa weakness, susceptibility or flaw of an asset, system, process or control that can be exploited. To reflect differences that exist across, and within, the various financial subsectors as regards financial entities’ level of cybersecurity preparedness, testing should include a wide variety of tools and actions, ranging from the assessment of basic requirements (e.g. vulnerabilitya weakness, susceptibility or flaw of an asset, system, process or control that can be exploited assessments and scans, open source analyses, network security assessments, gap analyses, physical security reviews, questionnaires and scanning software solutions, source code reviews where feasible, scenario-based tests, compatibility testing, performance testing or end-to-end testing) to more advanced testing by means of TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems. Such advanced testing should be required only of financial entitiesas defined in Article 2, points (a) to (t) that are mature enough from an ICT perspective to reasonably carry it out. The digital operational resilience testingas defined in Article 24 required by this Regulation should thus be more demanding for those financial entitiesas defined in Article 2, points (a) to (t) meeting the criteria set out in this Regulation (for example, large, systemic and ICT-mature credit institutionsa credit institution as defined in Article 4(1), point (1), of Regulation (EU) No 575/2013 of the European Parliament and of the Council, stock exchanges, central securities depositoriesa central securities depository as defined in Article 2(1), point (1), of Regulation (EU) No 909/2014 and central counterpartiesa central counterparty as defined in Article 2, point (1), of Regulation (EU) No 648/2012) than for other financial entitiesas defined in Article 2, points (a) to (t). At the same time, the digital operational resilience testingas defined in Article 24 by means of TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems should be more relevant for financial entitiesas defined in Article 2, points (a) to (t) operating in core financial services subsectors and playing a systemic role (for example, payments, banking, and clearing and settlement), and less relevant for other subsectors (for example, asset managers and credit rating agenciesa credit rating agency as defined in Article 3(1), point (b), of Regulation (EC) No 1060/2009).