Banks and insurers have three months to submit their cybersecurity structures to external testing
– The DORA regulation will oblige most financial sector entities to perform threat-based penetration testing (TLPT) as of January 17, 2025
– Experts from Tarlogic Security, Bank of Spain and INCIBE explain the keys to the new regulatory framework at a conference for leading Spanish financial companies and multinationals from other sectors such as tourism, retail and real estate
Banks, insurance companies, investment funds, management companies and other entities in the financial sector will have to submit their cybersecurity structures to threat-based penetration tests as of January 17, 2025. This is established by the DORA regulation, which seeks to ensure the ability of companies in this critical sector of European society and economy to withstand cyber-attacks.
Tarlogic Security has organized a high-level conference to address the keys to the new regulatory framework and explain to companies what these advanced cybersecurity tests consist of, which will have to be performed by all entities except micro and small organizations.
Speakers at the event included the Bank of Spain and the National Institute of Cybersecurity (INCIBE). The event was also attended by regulators from the banking and insurance sector, around twenty entities from the Spanish financial sector, and multinationals from relevant areas such as infrastructure, retail, and tourism. On behalf of the Bank of Spain, Silvia Senabre, head of the Technological Risk Group, spoke, while on behalf of the INCIBE, the speaker was Juan Delfín, head of the organization’s Strategic Financial and ICT Sector. The CEO of Tarlogic Security, Andrés Tarascó, opened the round of conferences.
Throughout the day, the cybersecurity company’s Threat Intelligence and Red Team shared with the attendees the lessons learned during the performance of penetration tests based on threats in cybersecurity structures in recent years.
In addition, Tarlogic professionals highlighted the benefits of tests that detect vulnerabilities in cybersecurity structures before they are exploited and improve mechanisms for prevention, detection and response to cyber-attacks. As a result, the companies that undergo them are better prepared to deal with security incidents and avoid serious operational, economic, legal and reputational consequences that impact both them and their customers.
From bank stress tests to TLPT tests
After the 2008 financial crisis caused by subprime mortgages, the European Union obliged banks to undergo stress tests to measure their solvency and assess how they would respond to an adverse economic scenario.
The TLPT tests (Threat-Led Penetration Testing) have similar objectives to the bank stress tests but aim to combat one of the greatest threats currently facing the financial sector: cyber-attacks.
What do these tests, which cybersecurity structures must undergo, consist of?
Professionals specialized in targeted threat intelligence must gather all the information needed by hostile actors to attack a financial institution and unravel its modus operandi. In this way, an overview of the threats facing a company’s cybersecurity structures can be obtained.
Based on this research, specific attack scenarios are designed, and a Red Team conducts exercises by behaving as a real attacker would. In this way, they can test the company’s defensive mechanisms and foresee the consequences that a cyber-attack could generate.
Finally, an action plan is drawn up to implement the recommendations of the cybersecurity professionals and increase the level of resilience of the company’s cybersecurity structures.
For these TLPT tests to be validated by the Bank of Spain, companies must:
- Perform them according to the TIBER methodology, designed by the European Central Bank (ECB).
- Hire cybersecurity companies with experience and prestige performing advanced tests, such as Tarlogic, which has conducted numerous TLPT tests applying the TIBER methodology in recent years.
- Cover the critical functions of the financial institution.
- Involve the regulator from the outset during the tests and send it all the information at the end.
Companies must undergo these tests once every three years, although the Bank of Spain may impose a higher frequency. If these tests are not carried out, both the entities and their management expose themselves to heavy financial penalties and severe reputational damage.
DORA, NIS2, TIBER… Protecting companies and citizens from cyber-attacks
January 17, 2025, will mark a new milestone in creating a European regulatory framework that seeks to increase the level of cybersecurity for businesses, protect critical EU sectors and safeguard the interests of citizens.
Thus, in recent years, the European Union has launched the TIBER framework and approved standards such as the General Data Protection Regulation (GDPR), the DORA regulation or the NIS2 directive, which affects other critical sectors such as health, energy or transport.
The approval of these standards has a twofold objective:
- To increase the ability of European companies to protect themselves against cyber-attacks that are increasing in number, sophistication and capacity to do damage at a dizzying rate.
- To safeguard the productive fabric and citizens against the consequences of cyber-attacks.
In this regard, it is clear that financial institutions, such as banks and insurance companies, play a critical role in the day-to-day life of companies and citizens, and that they manage issues of vital importance such as bank accounts or their customers’ financial information.
All technologically mature companies should subject their cybersecurity structures to TLPT testing
However, not only companies in the financial sector can benefit from threat-based penetration testing. Although other economic sectors are not yet obliged to undergo these tests, it is foreseeable that they will eventually become mandatory.
Moreover, the experience accumulated by Tarlogic Security over more than a decade allows its professionals to recommend TLPT testing to fully digitized and technologically mature companies.
These tests allow companies to reduce the possibility of a cyber-attack paralyzing their activity, violating their business secrets, causing a security breach of their customers’ and employees’ data, or undermining their market position and reputation.