Frankfurt – In 2022, the weekly number of cyberattacks in the financial industry averaged 1,131 attacks – a 52 percent increase in one year, according to Check Point Research figures. More than two-thirds of large institutions were affected by at least one cyberattack, not including successfully prevented attacks and unreported cases. The EU regulation “Digital operational resilience for the financial sector and amending regulations” (EU Regulation 2022/2254 – DORA for short) gives the industry a uniform legal standard to mitigate vulnerability to ICT disruptions and cyber threats along the entire value chain. A critical feature of the regulation is regular testing. At least once a year, systems must undergo testing for different threat scenarios. Shifting responsibility to third parties – ICT service providers, in other words – is viewed critically. “BaFin explicitly states that the focus on multi-client service providers – i.e., firms acting for several companies – implies risks for the overall market. Banks should therefore urgently try to carry out measures such as the required penetration test independently to identify risks,” says Rainer M. Richter, IT expert and Vice President EMEA & APAC at Horizon3.ai.
Autonomous penetration testing for the financial industry
With NodeZero, the company has developed a technology that performs real attack scenarios on the entire IT infrastructure via autonomous penetration tests. Horizon3.ai’s technology operates via a cloud platform that complies with data protection regulations and is hosted in Germany for Europe. It can be run independently of an external service provider or a professional pentester at any time and as often as desired during ongoing daily business. This not only uncovers vulnerabilities, but also checks the effectiveness of the existing protection mechanisms – hardware and software. The user guidance is geared to the needs of IT departments and gives IT teams, CIOs, CISOs and administrators a detailed analysis of attack paths with evidence of exploitation and prioritized corrective actions. To conclude the proven “find, fix and verify” methodology, a 1-click verification can then be used to test the correction made for success. Based on the findings from the test, preventive measures can be specified for each individual institution. These start with the recognition of threats and extend to the regulation of backup measures.
Time is running out
For banks that have already implemented the regulatory requirements in advance, there is no reason to panic. The situation is different for institutions that have paid little attention to the topic so far: “It is to be expected that a massive wave of inquiries will come to service providers in the coming months. As a result, what already means enormous lead times for professional services will then become even worse and will be almost impossible to implement in compliance with the law. This is another reason for implementing a penetration test concept within the bank,” explains Rainer M. Richter of Horizon3.ai. His company, which specializes in autonomous penetration tests with a cloud solution, is already seeing a significant increase in requests from the financial sector – “the pressure of suffering is high, both financially and in terms of capacity,” says the IT expert. With Horizon3.ai, smaller institutions also have the option of performing threat-oriented penetration tests (TLPT) themselves.