DORA consultancy - helping financial institutes across the UK and Europe.

ERIKO, Watercolor abstract painting with bright blots


TLTP


ESA released Threat Led Penetration Test (TLTP) technical standards (‘RTS’) ‘per the TIBER-EU framework’. This RTS specify further the criteria used for identifying financial entities required to perform threat-led penetration testing, the requirements and standards governing the use of internal testers, the scope, testing methodology and approach for each phase of the testing, results, closure and remediation stages and the type of supervisory and other relevant cooperation needed for the implementation of TLPT and for the facilitation of mutual recognition.

TL:DR not everyone who knows how to use a scanner will be suitable, and financial entities will struggle to deliver this testing internally

TIBER-EU is a European framework for threat intelligence-based ethical red-teaming. While using or even mirroring similar concepts, the DORA TLPT requirements are legally binding and, as such, prevail over the TIBER-EU framework. Under DORA, tests will be organised at the level of a financial entity by the TLPT authority of its home Member State. If a subsidiary established in another Member State is running one or more critical or important functions, it can use testers from that State in cooperation with the respective authorities.
There are inherent elements of risks associated with TLPT, as critical functions are tested in a live production environment, with the possibility of causing denial-of-service incidents, unexpected system crashes, damages to critical live production systems, or the loss, modification, or disclosure of data, highlights the need for robust risk management measures.

The main differences between DORA TLPT and the TIBER-EU framework:
  • Authority conducting TLPT. DORA allows Member States to designate a single public authority (SPA) who is then charged with all tasks and responsibilities related to TLPT in that Member State.
  • Use of internal testers. Although the use of internal testers is not foreseen in the TIBER-EU framework, DORA allows it “to take advantage of internal resources at the corporate level” under certain conditions to safeguard the quality of the tests.
  • Purple teaming exercise. Purple teaming, a collaborative testing activity involving both the red and blue team testers, is currently a strongly encouraged but not yet mandatory element in the TIBER-EU framework.

TLPT participants. Similarly to the TIBER-EU framework, there are five types of participants in a TLPT, which are depicted in the Figure below:


Which financial entities are required to perform TLTP?
  • Credit institutions identified as global systemically important institutions
  • Payment institutions, exceeding in each of the previous two financial years EUR 120 billion total value of payment transactions
  • Electronic money institutions, exceeding in each of the previous two financial years EUR 120 billion in total value of payment transactions
  • Central securities depositories
  • Central counterparties
  • Trading venues with an electronic trading system with national/Union requirements
  • Insurance and reinsurance undertakings, exceeding in each of the previous two financial years EUR 500 million of Gross Written Premium (GWP) and other criteria

In addition to the entities above, TLPT authorities shall assess whether any financial entities shall be required to perform TLPT based on all of the following criteria:
impact-related and systemic character-related factors
  • the size of the financial entity
  • the extent and nature of the interconnectedness of the financial entity with other financial entities in the financial sector at the national and Union level
  • the criticality or importance of the services provided to the financial sector
  • the substitutability of the services provided by the financial entity
  • the complexity of the business model of the financial entity and the related services and processes
  • whether the financial entity is part of a group of systemic characters at Union or national level in the financial sector and using common ICT systems
ICT risk-related factors
  • the risk profile of the financial entity
  • the threat landscape of the financial entity
  • the degree of dependence of critical or important functions or their supporting functions of the financial entity on ICT systems and processes
  • the complexity of the ICT architecture of the financial entity
  • the ICT services and functions supported by ICT third-party service providers, the quantity and type of contractual arrangements with ICT third-party service providers or ICT intra-group service providers
  • outcomes of any supervisory reviews relevant to the assessment of the ICT maturity of the financial entity
  • the maturity of ICT business continuity plans and ICT response and recovery plans, the maturity of the operational ICT security detection and mitigation measures, including the ability to monitor the financial entity’s ICT infrastructure permanently, to detect ICT-related events in real-time, to analyse events, to respond to them in a timely and effective manner
  • whether the financial entity is part of a group active in the financial sector at the Union or national level and using common ICT systems

The main stakeholders in a TLPT are:
  • The TLPT Cyber Team (or TCT) mirrors the TIBER Cyber Team in the TIBER-EU framework.
  • The control team mirrors the white team under the TIBER-EU framework and manages the TLPT from the side of the financial entity undergoing the exercise.
  • Similar to the TIBER-EU framework, the blue team is made up of employees who defend the financial entity against simulated or real cyber threats without knowing that they are tested.
  • Like the TIBER-EU framework concept, the threat intelligence provider mimics a hacker information-gathering activity using multiple reliable sources.
  • DORA's concept of ‘testers’ is broader than that of ‘red team’ under the TIBER-EU framework, as DORA permits the use of both internal and external testers. Tested entities may use both types of testers as long as all requirements are complied with.
  • Risk management of the TLPT. Carrying out TLPT is not without risk. Hence, solid risk management throughout every stage of the TLPT is essential. The responsibility for conducting the test and managing the risk rests entirely with the financial entity undergoing TLPT.

When a financial entity has in-house skills, DORA allows the use of internal testers. However, assuming the absence of a conflict of interest within the financial entity and the mandatory use of an external threat intelligence provider, a financial entity must use external testers every three tests. The entity must employ the internal testers for the preceding two years, ruling out any contractors.


Scope
A financial entity must document the validated scope, including the rationale behind the inclusion or exclusion of critical or important functions and identified ICT systems, processes and technologies supporting the critical or important functions covered by the TLPT.

Our opinion:
The authorities left a lot of flexibility in applying the TLTP requirements for other organisations. If a financial entity cannot convince the regulatory authorities that its operational resilience processes are adequate, the regulator can ask for TLTP to be conducted. In addition to an expense, it may identify additional areas of concern and discover non-compliance with regulatory requirements.

Please contact us if you have any questions.

Would you like to talk about DORA compliance? Contact us.