Cybersecurity is a top priority for the financial sector. This has resulted in authorities and the sector developing mechanisms to test the resilience of firms by use of various methodologies like vulnerability assessments, application vulnerability scanning, penetration testing, red-teaming and threat-led penetration testing. Each type of testing has its own unique objective, technique, and scope and this Framework acknowledges that there are many testing types available for firms to assess the effectiveness of their security programs. As such, this document will focus on threat-led penetration testing.
Testing allows firms to evaluate their systems and the controls that protect them in order to identify and remediate vulnerabilities, thereby strengthening their infrastructure and organization against cyber threats. Likewise, for regulators, testing can help identify systemic issues and trends of where vulnerabilities might persist. GFMA and our members jointly developed and published, in July of 2019, a set of principles to guide the development of testing frameworks to harmonize the growing regulatory demand for threat-led penetration testing. In this 2020 version, these principles are updated based on the evolution of industry best practices and guidance from frameworks around the world.