Related topicsFinancial services
Cybersecurity
Put your digital resilience to the test with Threat-Led Penetration Testing (TLPT) — realistic attacks, real insight.
In brief:
- EY teams have supported financial institutions with TIBER/TLPT, emulating attacks by sector-specific threat actors.
- Threat-Led Penetration Testing simulates realistic attacks to identify weaknesses across an organization’s security.
- Continuous testing and improvement are critical to build resilience against future threats and avoid financial and reputational loss.
How do you know if your organization can withstand a serious cyberattack?
Many organizations have solid plans and security controls in place. However, it is only when they are exposed to realistic attack scenarios that they gain a true understanding of their digital operational resilience. The EU’s Digital Operational Resilience Act (DORA) therefore requires financial institutions to test this resilience. The objective is to assess how well they are prepared for ICT-related incidents and to identify weaknesses in technology, processes, and coordination — gaps that are not always visible through documentation and formal plans alone. For the largest and most critical entities, this involves advanced attack simulations known as Threat-Led Penetration Testing (TLPT).
Digital operational resilience is tested when an organization is exposed to realistic attack scenarios.
Operational resilience for all — not just the largest institutions
All established financial institutions are required to implement a testing program in line with the principle of proportionality. For the largest and most critical entities, this includes conducting TLPT at least every three years. For others, this may involve regular vulnerability scanning, network security assessments and penetration testing. The EY organization offers testing services tailored to organizations of all sizes.
Ultimately, this is about more than regulatory compliance. DORA was introduced to strengthen the operational resilience of organizations across multiple sectors. Organizations that invest time and resources in testing their digital operational resilience are far better prepared when facing a real attack. Such investments can also help prevent financial losses and strengthen trust among customers and other stakeholders.
From theory to practice: Threat-Led Penetration Testing (TLPT)
EY teams have had the opportunity to provide TIBER/TLPT for several large organizations, where we have emulated both state-sponsored and organized criminal threat actors. By leveraging up-to-date threat intelligence and tactics that reflect real adversary methods, we are able to test how organizations would handle attacks from genuine threat actors.
These exercises are conducted in accordance with the TIBER-EU framework, with tactics varying depending on the threat actors being emulated. The objective is to test business-critical functions and identify weaknesses, gaps and deviations in the organization’s digital resilience.
During TLPT exercises, we use realistic scenarios that reflect the threat landscape the organization is facing. Below are three example scenarios that have been used in our engagements.
Scenarios: three example scenarios we have executed in our tests
|
The attacker creates a malicious proxy application and deceives a user into authenticating through it. During the authentication process, credentials and session information are intercepted, allowing the attacker to access systems as if they were the legitimate user. |
|
|
The attacker contacts an employee while impersonating the IT department. By creating a sense of urgency and authority, the employee is persuaded to install software that enables the attacker to gain persistent access to their corporate laptop. |
|
|
The attacker attempts to gain unauthorized access to office premises by tailgating employees, using falsified identification or exploiting unsecured entry points. The objective is to reach network connections, server rooms or workstations. |
|
As part of the global EY network, we combine local regulatory insight with hands-on experience from TLPT engagements provided across Europe and internationally. This provides access to leading practices, up-to-date threat intelligence and multidisciplinary teams, helping enable testing that is tailored to an organization’s risk profile, regulatory requirements and critical business functions.
Be prepared for the next attack — before it happens
Our advice: Start with realistic threats and scenarios relevant to your organization. Test business-critical and key functions and make exercises as close to real-world conditions as possible. Use the resulting insight to strengthen the resilience and improve technical controls, procedures and training. The cycle of test, learn and improve lies as the core of building strong operational resilience.
With the EY organization, you get more than a testing program — you gain access to a global knowledge network that continuously shares experience and evolves methods to address emerging threats. This provides a level of confidence and robustness that few others can offer.
Would you like to discuss how TLPT or other testing approaches can be used to strengthen your organization’s digital operational resilience? We are happy to share experiences from similar organizations and help you determine the appropriate level of testing — both from a regulatory and risk-based perspective.
Summary
Through Threat-Led Penetration Testing, organizations can simulate attacks by known threat actors, helping to identify weaknesses in their digital resilience. All financial institutions, regardless of size, are required to implement a testing program to strengthen their resilience. By using realistic scenarios and continuously improving security procedures, organizations can better prepare for future cyber threats, maintain operational stability and build greater trust with customers. A strong security strategy not only reduces the risk of successful attacks but can also help prevent the financial losses that often follow security incidents.
