The Digital Operational Resilience Act (DORA) sets a new standard for cyber resilience in the EU's financial sector. One of its most potent tools is rigorous, ongoing testing. Pillar 3 of DORA mandates that financial institutions test their ICT systems, identifying and addressing vulnerabilities before they can be exploited. In part 3 of this 4-part blog, we look at testing.
Why Testing Matters
Consider DORA's testing requirements as a stress test for your digital systems. Instead of checking how well your institution handles financial strain, it focuses on how resilient you are to cyberattacks, IT failures, and other disruptions. Proactively identifying and fixing weaknesses can prevent minor glitches from snowballing into major incidents.
The DORA Testing Toolkit
DORA sets out a comprehensive testing regime that includes:
General Testing: A risk-based approach to regularly assess your ICT systems and identify vulnerabilities.
Advanced Testing: A more rigorous form of testing called Threat-Led Penetration Testing (TLPT), which simulates real-world attacks to see how your systems hold up.
Specialised Testing: Targeted tests for specific tools, systems, and processes.
Key Requirements
Risk-Based Approach: Testing should be tailored to your specific risk profile. Save resources on low-risk areas and focus on the critical ones.
Independence: Use independent testers to ensure objectivity and get a fresh perspective.
Thoroughness: Test all critical systems and processes, including those provided by third parties.
Regularity: Testing shouldn't be a one-off exercise. Conduct it regularly to stay ahead of emerging threats.
Benefits of DORA Testing
By following Pillar 3's guidelines, you'll be well on your way to:
Improved Resilience: Identify and address vulnerabilities before they are exploited.
Reduced Risk: Mitigate the impact of cyberattacks and operational disruptions.
Regulatory Compliance: Demonstrate your commitment to meeting DORA's requirements.
Enhanced Reputation: Show your customers and stakeholders that you take security seriously.
A deep dive into DORA level 1 requirements
Article 24: General Requirements for Testing
Under Article 24, financial entities must establish comprehensive testing programs to assess their preparedness for handling ICT-related incidents. This includes:
Creating a risk-based testing program tailored to the specific risks faced by the entity.
Incorporating various testing methods like vulnerability assessments, penetration testing, and scenario-based exercises.
Ensuring the independence of testing by engaging qualified external or internal testers.
Prioritising and promptly addressing any identified weaknesses.
Regularly testing ICT systems that support critical or important functions (at least annually).
Article 25: Testing of ICT Tools and Systems
Article 25 goes deeper, specifying the types of tests that should be conducted to assess the resilience of ICT tools and systems:
Defining a range of tests, including those that address security, performance, and availability under stress.
Mandating pre-deployment testing for critical infrastructure.
Allowing micro-enterprises to adopt a risk-based approach tailored to their resources and risk profile.
Article 26: Advanced Testing with Threat-Led Penetration Testing (TLPT)
This article focuses on advanced testing, particularly TLPT, which simulates real-world attacks to evaluate the resilience of critical systems and processes:
Mandating TLPT at least every three years, with the frequency adaptable based on risk profile.
Defining the scope of TLPT to cover critical or important functions that can be performed on live systems.
Ensuring participation of third-party service providers.
Requiring the implementation of risk management controls to mitigate risks associated with TLPT.
Mandating the reporting of TLPT findings, remediation plans, and compliance documentation to the relevant authority.
Article 27: Requirements for Testers
To ensure the quality and integrity of testing, Article 27 sets out requirements for testers performing TLPT:
Establishing criteria for testers, including certifications or adherence to standards.
Mandating independent assurance or audit for internal testers.
Requiring professional indemnity insurance.
Specifying additional requirements for internal testers to prevent conflicts of interest.
What to Expect: A 6-Month Implementation Roadmap
Month 1: Planning & Preparation: Conduct a thorough gap analysis to compare your current testing practices to DORA requirements. Develop a tailored testing strategy.
Month 2: Design & Implementation: Build a testing framework that outlines the types of tests you'll perform, how often they will be performed, and who will be responsible.
Month 3: Threat-Led Penetration Testing (TLPT): Conduct a comprehensive TLPT to put your defences to the ultimate test.
Month 4: Remediation: Address any vulnerabilities or weaknesses identified during testing.
Month 5: Continuous Testing & Monitoring: Implement ongoing testing to catch emerging threats.
Month 6: Review & Refinement: Evaluate the effectiveness of your testing program and make any necessary improvements.
The Bottom Line
Pillar 3 of DORA is your blueprint for building a more vital, resilient financial institution. By embracing a proactive testing approach, you'll be better equipped to protect your assets, reputation, and, most importantly, your customers' trust. In the final part of this blog post, we consider pillar 4, ICT Third-Party Risk Management.
#DORA #DORAcompliance #DigitalOperationalResilience #CyberResilience #FinTech #FinancialServices #CyberSecurity #PenetrationTesting (or #PenTest) #ThreatLedPenetrationTesting (or #TLPT) #ICTrisk #ITResilience #RegulatoryCompliance #RiskManagement #FinancialInstitutions #InformationSecurity #CyberThreat #DataProtection #TechRisk #ResiliencePlanning