May 26th, 2023

Financial sector should perform penetration tests according to EU regulation DORA

Financial organisations under pressure to implement EU DORA regulation as quickly as possible

In 2022, the weekly number of cyberattacks in the financial industry averaged 1,131 attacks – a 52 percent increase in one year, according to Check Point Research figures. More than two-thirds of large institutions were affected by at least one cyberattack, not including successfully prevented attacks and unreported cases. The EU regulation “Digital operational resilience for the financial sector and amending regulations” (EU Regulation 2022/2254 – DORA for short) gives the industry a uniform legal standard to mitigate vulnerability to ICT disruptions and cyber threats along the entire value chain. A critical feature of the regulation is regular testing. At least once a year, systems must undergo testing for different threat scenarios. Shifting responsibility to third parties – ICT service providers, in other words is critical. The EU Regulation urges any organisation in the financial sector (Banks, insurance,  should urgently try to carry out measures such as the required penetration test independently to identify risks

Penetration testing for the financial industry

Endida has its own hosted and unique technology that performs real attack scenarios on the entire IT infrastructure via autonomous penetration tests. Endida’s technology operates via a cloud platform that complies with data protection regulations. The Endida pen testing service not only uncovers vulnerabilities, but also checks the effectiveness of the existing protection mechanisms – hardware and software. The full post test report gives IT teams, CIOs, CISOs and administrators a detailed analysis of attack paths with evidence of exploitation and prioritised corrective actions. As part of Endida’s pen test service, we will provide a full remediation project plan that helps prioritise what fixes and preventive measures are needed. Endida can also include professional services to carry out all corrective measures if required.

Time is running out

For banks that have already implemented the regulatory requirements in advance, there is no reason to panic. The situation is different for institutions that have paid little attention to the topic so far. “We have spoken to a lot of our customer who are not aware of the DORA requirements and how they may affect them” say Fiona Whyte, CEO of Endida. Whyte goes on to say “Pen testing not only helps financial organisations comply with DORA, but will also build more resilient incident response planning by simulating various attack scenarios, gaps can be identified in incident response plans and improve the ability to detect, contain, and respond to security incidents effectively.”