GFMA Framework for the Regulatory Use of Penetration Testing in the Financial Services Industry
GFMA, in coordination with SIFMA, AFME and ASIFMA, published this Framework to create an agreed upon approach for regulators and financial services firms to conduct effective testing to satisfy both supervisory and firm originated requirements. In this second version, published December 2020, these principles are updated based on the evolution of industry best practices and guidance from frameworks around the world.
Excerpt
Executive Summary
Cybersecurity is a top priority for the financial sector. This has resulted in authorities and the sector developing mechanisms to test the resilience of firms by use of various methodologies like vulnerability assessments, application vulnerability scanning, penetration testing, red-teaming and threat-led penetration testing. Each type of testing has its own unique objective, technique, and scope and this Framework acknowledges that there are many testing types available for firms to assess the effectiveness of their security programs. As such, this document will focus on threat-led penetration testing.
Testing allows firms to evaluate their systems and the controls that protect them in order to identify and remediate vulnerabilities, thereby strengthening their infrastructure and organization against cyber threats. Likewise, for regulators, testing can help identify systemic issues and trends of where vulnerabilities might persist. GFMA and our members jointly developed and published, in July of 2019, a set of principles to guide the development of testing frameworks to harmonize the growing regulatory demand for threat-led penetration testing. In this 2020 version, these principles are updated based on the evolution of industry best practices and guidance from frameworks around the world.