In the fast-paced world of financial regulation, the Digital Operational Resilience Act (DORA) is shaking the foundations of cybersecurity in the sector. One of its most controversial provisions: the green light for “internal testers” to conduct penetration testing. Revolution or calculated risk? Let’s analyze.
STAY UPDATED
Subscribe to stay current on ILP Insights
We present the collaboration in video format as well, in case you prefer this medium:
The Rise of “In-House Hackers”
DORA allows financial entities to utilize internal resources to perform threat-based penetration testing. In plain terms: your own employees can attempt to “hack” your systems. But what exactly are these tests?
Penetration tests, colloquially known as “pentesting,” are simulated attacks on computer systems to identify vulnerabilities. Imagine a professional thief trying to break into your house… but with your permission and to improve your security!
Conditions for “Internal Hacking”
DORA does not grant a blank check. To utilize internal testers, several conditions must be met:
- Approval from regulatory authorities
- Absence of conflicts of interest
- Periodic alternation between internal and external testers (every three tests)
- The threat intelligence provider must always be external
The Elephant in the Room: Internal Providers
But who are these mysterious “internal providers”? They are employees of the financial entity with the technical skills necessary to conduct penetration tests. They could be members of the cybersecurity team or developers with experience in cybersecurity.
Practical Examples of Penetration Testing
To move beyond theory, let’s look at some examples of what these “ethical hackers” might attempt:
- Simulated phishing: Sending fake emails to see who falls for the bait
- Brute force attacks: Attempting to guess passwords through automated means
- Vulnerability scanning: Searching for flaws in the software used by the entity
Responsibility Remains Yours
DORA is clear: while it allows internal testers, the responsibility for the tests remains with the financial entity. Authorities may validate the process, but they do not absolve you of the obligation to manage your ICT risks.
Conclusion: Friend or Foe?
The inclusion of internal testers in DORA is a double-edged sword. On one hand, it allows leveraging internal talent and potentially reducing costs. On the other, it poses challenges in terms of objectivity and conflicts of interest.
Are you ready to let your own employees attempt to “hack” your systems? The answer could determine your digital operational resilience in the coming years.
If you enjoyed this article, you might also find the following reading interesting:
DORA and ICT Incident Notification: A Digital Big Brother for Banking?
