TLPT tests: What are they and which companies should perform them?

TLPTs are threat-based penetration tests that many financial sector entities must undergo starting in January 2025

Ever since humankind invented it, money has always attracted criminals. Throughout history, criminals have devised strategies and techniques to obtain money illicitly. It should, therefore, come as no surprise that financial institutions and their customers are a central target for attackers and one of the greatest threats to society as a whole.

Earlier this year, the International Monetary Fund (IMF) warned that cyber-attacks against the financial sector were threatening global financial stability and that security incidents could affect the operations of organizations in the sector, generate heavy losses and have macroeconomic repercussions.

To address this threatening scenario, the European Union approved the DORA at the end of 2022, a regulation that aims to improve the resilience of European financial institutions and establishes the obligation for organizations to undergo a TLPT test. In other words, a Threat-Led Penetration Testing to assess whether they can withstand advanced persistent threats (APT).

The DORA regulation will come into force on January 17, 2025, so financial companies have four months to adapt to this regulatory framework. They must contract a TLPT to strengthen their defensive capabilities against attacks.

Below, we will explain the key aspects of the TLPT tests to help banks, insurance companies, investment funds and other financial institutions to understand what they consist of and how they should be carried out to comply with the regulations and avoid fines running into millions of dollars.

1. TIBER-EU: The origin of TLPT testing

The fear of serious incidents undermining the business continuity of financial institutions goes back a long way. After all, we are talking about a sector critical to the economic system’s functioning.

That is why, prior to the approval of the DORA regulation, the European Central Bank (ECB) launched TIBER-EU, a framework for conducting Theat Intelligence-Based Ethical Red-Teaming ( TIBER-EU) exercises.

The TIBER framework lays the groundwork for companies, public authorities, threat intelligence, and Red Team teams to conduct TLPT tests.

What does this testing consist of? Threat Intelligence professionals provide the information needed to understand hostile actors’ tactics, techniques and procedures that could affect targeted financial institutions. Red Team teams perform attacks, pretending to be the previously identified malicious actors, against the critical assets of financial institutions using the TTPs of these criminals. Thus, the TLPT tests allow organizations to detect strengths and weaknesses and help them improve their cyber resilience.

By implementing this testing framework, the ECB and the other central banks that have adopted it, such as the Bank of Spain, make it easier for companies in the financial sector to undergo TLPT testing to protect themselves against advanced persistent threats.

Thus, with the guide developed by the ECB, the Banco de España also published its guide (TIBER-ES) to systematize and standardize the performance of TLPT tests.

Since the start of the TIBER-EU program, hundreds of institutions have voluntarily submitted to TLPT tests. However, the DORA regulation goes further and imposes TLPT testing on many companies operating in the financial sector.

2. DORA Regulation: A regulatory framework to ensure that financial institutions can withstand attacks

As with the TLPT tests or the TIBER framework, the DORA concept summarizes the name of this European regulation: the Digital Operational Resilience Act. This title perfectly explains the fundamental objective of the regulation: to ensure the digital operational resilience of the entities that are part of the European financial sector.

To this end, the DORA regulation establishes an ICT risk management framework, imposes precise measures to streamline and improve the reporting of serious incidents and includes digital operational resilience tests to be carried out by organizations.

Among these tests, the TLPTs stand out for their level of depth and complexity.

3. Threat Intelligence and Red Team. The two key services for performing TLPT tests

As mentioned above, TLPT tests are based on two advanced cybersecurity activities that provide high-added value: Threat Intelligence and Red Team.

3.1. Threat Intelligence

Once the scope of the TLPT tests has been set and all related aspects have been agreed between the financial companies and the testers, the Threat Intelligence team comes into play . These professionals must gather all the information that hostile actors must obtain to launch a cyberattack against a financial institution.

This wealth of information provides invaluable data on the tactics, techniques and procedures of the actual attackers and is critical to designing the scenarios that the Red Team must then test.

Targeted threat intelligence provides an accurate picture of the threats facing the company undergoing TLPT testing and the targets of hostile actors.

At the end of their work, Threat Intelligence professionals will produce a report specific to the threats affecting the entity. This report is known as TTI (Targeted Threat Intelligence).

3.2. Red Team

Based on the TTI, the scope of the TLPT tests and the objectives to be met are adapted through the execution of Red Team exercises. Threat-based scenarios are then designed using all the intelligence gathered by the Threat Intelligence team. This is compiled in a RTTP (Red Team Test Plan) report.

The next step is to begin the execution of the Red Team Exercises contained in the RTTP. The duration varies depending on the scope and objectives but is typically around three months per exercise. During the training, Red Team professionals behave like real attackers and deploy a wide range of techniques to overcome the company’s defensive mechanisms and the actions of its Blue Team to achieve the objectives.

In addition, of course, the Red Team must document all its actions and produce regular reports to keep the organization abreast of the progress of the TLPT test.

At the end of the test execution phase, reports on the performance of both the Red and Blue Teams should be prepared. After these, it is necessary to carry out sessions to share this information between both teams, even advising the recreation of joint activities to ensure complete understanding.

It is also essential to draw up an action plan to implement the recommendations made by the cybersecurity and cyberintelligence professionals to solve the weaknesses detected in the TLPT tests.

The TLPT tests end with submitting all the documentation to the competent authority, who will promptly inform them of the activities carried out during all the previous phases so that they can validate the exercise.

4. Requirements established by DORA to carry out the TLPT tests

In Article 26, the DORA regulation indicates the requirements to be taken into account by both financial companies and testing companies when performing TLPT tests:

1. TLPT tests must cover all or some of the critical functions of the financial institution.
2. They should be performed on the active production systems that the company employs to support its critical functions. Thus, the underlying systems and the ICT services supporting these functions should be included. This implies taking into account the services contracted to third-party suppliers.
3. If providers are included within the scope of the TLPT tests, companies must ensure their participation. The DORA regulation provides for joint TLPT testing between several financial institutions when they share an ICT service provider when the latter provides services to companies that are not included within the scope of the regulation.
4. Risk management controls must be deployed to prevent TLPT testing from adversely impacting data, assets and business operations.
5. For a TLPT activity to be considered as such under the DORA regulation, the execution of the TLPT activity must fully follow the technical standards issued by the competent authority, which will follow the TIBER-EU framework.

As noted above, once the TLPT tests have been performed, companies must submit to the competent authority, which in our country is the Bank of Spain, the following information:

• The main findings were found during the TLPT tests.
• The corrective plans to remedy the weaknesses detected.
• The documentation verifying that the TLPT tests complied with all regulatory requirements.

After analyzing this information, the Bank of Spain will send the entity a test validation report.

5. Which companies must undergo TLPT tests, and how often must they be performed?

The DORA regulation applies to financial institutions, as well as to companies that provide them with ICT services:

• Credit and payment institutions.
• Insurance and reinsurance companies.
• Insurance, reinsurance and complementary insurance intermediaries.
• Providers of investment services:
  • Investment.
  • Account information.
  • Data provision.
  • Participative financing.
  • Cryptoassets
• Electronic money companies.
• Central securities depositories.
• Central counterparties.
• Trading centers.
• Trading and securitization registries.
• Occupational pension funds.
• Alternative investment fund managers.
• Management companies.
• Credit rating agencies.
• Critical benchmark index administrators.
• Third-party ICT service providers.

5.1. Exclusion of small organizations

Beyond this list, the regulation provides for the exclusion of some companies, mainly because of their size. For example, insurance and reinsurance companies whose gross annual insurance premium income is less than 5 million euros are excluded from the scope of DORA. The same applies to insurance intermediaries that are considered micro-enterprises or SMEs.

In addition, the regulation excludes all micro-enterprises and other entities, such as small investment services companies or small pension funds, from the obligation to perform TLPT tests.

These exclusions are because:

1. These companies do not have sufficient cybersecurity maturity, so forcing them to perform such complex and in-depth testing as TLPT makes no sense.
2. If one of these companies suffers a security incident, it will not affect many citizens and businesses and will not reverberate in the European economy and society.

5.2. Proportionality in determining which financial institutions must perform the TLPT tests

In addition to the exclusions, the rule also establishes that the competent authorities must apply the principle of proportionality in conducting the TLPT tests. This means that the scope and complexity of these advanced tests should not be the same for all companies.

Thus, the DORA regulation states that competent authorities such as the Bank of Spain must determine the performance of the TLPT tests taking into account:

• The impact of each company’s services and activities in the financial sector.
• The potential for a security incident in a company to affect the financial stability of a country or the EU.
• The company’s ICT risk profile.
• The entity’s level of technological maturity.

5.3. Undergo TLTP testing at least every three years… at a minimum

Financial sector companies obliged to undergo TLPT testing must do so at least once every three years.

However, the Bank of Spain may establish that an organization may increase the frequency of testing based on the following:

• The risk profile of the entity.
• Operational circumstances.

Therefore, It is expected that the most important financial companies that are systemic for functioning the productive fabric and society will be obliged to carry out TLPT tests more frequently.

6. What are the requirements for cybersecurity companies performing TLTP tests?

TLPT are advanced tests that can only be designed and executed by highly skilled and experienced teams with sufficient resources. To put it bluntly, not all cybersecurity companies can perform these tests. That is why the DORA regulation clearly states what requirements testing companies must meet:

• Be suitable and have a high reputation in the industry.
• Have technical and organizational capabilities, as well as expertise in:
  • Threat intelligence.
  • Penetration testing.
  • Red Team exercises.
• Be accredited by a certification body in an EU country or adhere to codes of good conduct or ethical frameworks.
• Have an independent assurance or audit that supports optimal management of the risks associated with TLPT testing. This includes:
  • Protection of confidential information of financial companies.
  • Remediation measures if business risks occur for companies undergoing TLPT testing.
• Professional liability insurance to cover wilful misconduct and negligence.

Therefore, it is imperative that financial companies hire cybersecurity companies with a long track record and specific expertise in performing TLPT testing following the TIBER-EU framework.

7. Can companies perform TLPT testing in-house?

The DORA regulation states that companies can perform TLPT testing in-house. However, this possibility is strongly constrained by the regulation itself, since:

1. The company must have experienced and solvent Red Team teams that meet all the requirements imposed by the standard on testing companies.
2. Significant credit institutions (due to their size, their relevance to the economy or the importance of their cross-border activities) are obliged to hire external testers to carry out TLPT tests.
3. The performance of TLPT tests by in-house testers is only possible if:
   • The competent authority has authorized it.
   • It has been verified that the company has the necessary resources and has ensured that no conflicts of interest will occur during TLPT testing.
   • The Threat Intelligence provider is external.
4. Even so, they are obliged to hire external testers every three years.

In other words, in all cases, financial institutions must hire external Threat Intelligence services to perform the TLPT tests. And, as far as the Red Team is concerned, it must be ensured that it meets all legal requirements and that there is no conflict of interest in conducting the tests.

8. What are the penalties for companies that do not perform the TLPT tests?

The DORA regulation establishes that the Bank of Spain and the competent authorities of the other European Union countries may supervise, investigate and sanction financial institutions to ensure compliance with this regulatory framework.

Thus, administrative sanctions and corrective measures may be imposed on non-compliant companies:

• Injunctions against non-compliant companies to stop their conduct.
• Requiring the cessation of practices that are not following the regulation.
• Impose financial penalties to ensure that financial institutions do not fail to comply with their obligations, such as conducting TLPT tests.
• Request data traffic records from telecommunications operators if there are well-founded suspicions that a company is in breach of the regulation.
• Making public the identity of the company that has committed a breach and the nature of the breach.

These sanctioning measures can be imposed on both companies and members of their management teams, whereby executives can be personally sanctioned for failing to comply with the obligations of the regulation such as conducting PTLT tests.

The regulation also leaves it up to the EU states whether or not to impose criminal sanctions in the case of particularly serious infringements.

9. Why should companies not obliged to carry out a TLPT have to do so?

As we pointed out when discussing financial companies that are not required to perform TLPT tests, not all companies have the necessary level of maturity to perform them. Thus, opting for other services, such as security audits, is more advisable for small companies.

On the other hand, large and highly digitized companies with a high level of cyber exposure should consider the possibility of voluntary TLPT testing. Why?

9.1. Six major advantages of performing TLPT testing for companies in all economic sectors

1. These companies are targeted by advanced persistent threat (APT) groups, which have the resources and expertise to design and execute highly sophisticated cyberattacks that can be lethal to an unprepared organization.
2. They provide high-value-added data on the threats they have to deal with, such as TTPs and hostile actor targets.
3. They allow to train and educate defensive team professionals by simulating realistic attacks against the organization.
4. They provide relevant recommendations to optimize the prevention, detection and response mechanisms to cyber-attacks.
5. They contribute to increasing the organization’s cyber resilience and protecting its critical assets and functions to prevent cyber-attacks from paralyzing the company’s activity.
6. Along with the approval of the DORA regulation, the NIS2 directive was also passed, which imposes security measures on companies operating in critical sectors: health, energy, transport, food, water, etc. This shows that the regulatory framework is going to be increasingly demanding. It is, therefore, essential for companies to place cybersecurity at the heart of their business strategy.

In short, from 2025 onwards, many companies operating in the financial sector will be required to perform TLPT tests to increase their cyber resilience against cyber-attacks.

Therefore, if you have not yet undergone these threat-based penetration tests, it is advisable to begin conducting them as soon as possible, starting with hiring a cybersecurity firm with experience, expertise and reputation in threat intelligence and Red Team exercises.