Financial sector should perform penetration tests on its own according to EU regulation DORA
Financial sector should perform penetration tests on its own according to EU regulation DORA
Banks under pressure to implement EU DORA regulation as quickly as possible
Frankfurt, May 4 2023 – In 2022, the weekly number of cyberattacks in the financial industry averaged 1,131 attacks – a 52 percent increase in one year, according to Check Point Research figures. More than two-thirds of large institutions were affected by at least one cyberattack, not including successfully prevented attacks and unreported cases. The EU regulation "Digital operational resilience for the financial sector and amending regulations" (EU Regulation 2022/2254 – DORA for short) gives the industry a uniform legal standard to mitigate vulnerability to ICT disruptions and cyber threats along the entire value chain. A critical feature of the regulation is regular testing. At least once a year, systems must undergo testing for different threat scenarios. Shifting responsibility to third parties – ICT service providers, in other words – is viewed critically. "BaFin explicitly states that the focus on multi-client service providers – i.e., firms acting for several companies – implies risks for the overall market. Banks should therefore urgently try to carry out measures such as the required penetration test independently to identify risks," says Rainer M. Richter, IT expert and Vice President EMEA & APAC at Horizon3.ai.
Autonomous penetration testing for the financial industry
With NodeZero, the company has developed a technology that performs real attack scenarios on the entire IT infrastructure via autonomous penetration tests. Horizon3.ai's technology operates via a cloud platform that complies with data protection regulations and is hosted in Germany for Europe. It can be run independently of an external service provider or a professional pentester at any time and as often as desired during ongoing daily business. This not only uncovers vulnerabilities, but also checks the effectiveness of the existing protection mechanisms – hardware and software. The user guidance is geared to the needs of IT departments and gives IT teams, CIOs, CISOs and administrators a detailed analysis of attack paths with evidence of exploitation and prioritized corrective actions. To conclude the proven "find, fix and verify" methodology, a 1-click verification can then be used to test the correction made for success. Based on the findings from the test, preventive measures can be specified for each individual institution. These start with the recognition of threats and extend to the regulation of backup measures.
Time is running out
For banks that have already implemented the regulatory requirements in advance, there is no reason to panic. The situation is different for institutions that have paid little attention to the topic so far: "It is to be expected that a massive wave of inquiries will come to service providers in the coming months. As a result, what already means enormous lead times for professional services will then become even worse and will be almost impossible to implement in compliance with the law. This is another reason for implementing a penetration test concept within the bank," explains Rainer M. Richter of Horizon3.ai. His company, which specializes in autonomous penetration tests with a cloud solution, is already seeing a significant increase in requests from the financial sector – “the pressure of suffering is high, both financially and in terms of capacity," says the IT expert. With Horizon3.ai, smaller institutions also have the option of performing threat-oriented penetration tests (TLPT) themselves.
About Horizon3.ai
Horizon3.ai's mission is to find and fix potential attack opportunities for attackers before they can be exploited. NodeZero is a software solution for autonomous penetration testing and is available as a SaaS offering for companies and institutions. This allows professional pentesters to expand their offerings with automated services, but also allows companies without specialized expertise or specialized IT departments to test the security and integrity of their infrastructure. NodeZero works through the eyes of the attacker to identify weaknesses in the security architecture, while allowing IT teams to devote their resources to fixing critical issues and future-proofing their networks. This not only allows them to comply with regulatory requirements, but also to achieve the highest possible level of security. Horizon3.ai was founded in 2019 by former members of various US Armed Forces and is headquartered in San Francisco, California.
Further information: Horizon3.AI Europe GmbH, Sebastian-Kneipp-Str. 41, 60439 Frankfurt am Main, Web: https://www.horizon3.ai/
PR agency: euromarcom public relations GmbH, Tel. +49 (0) 611/97315-0, Web: www.euromarcom.de, E-Mail: team@euromarcom.de
- - - -