Article 5 Risk management for TLPT

Summary What does Article 5 of the RTS on threat-led penetration testing say?

Article 5 sets out the risk assessment obligations that apply to the control team during the TLPT process.

It sits within the broader preparation framework established by Article 9, and essentially requires the control team to think carefully about the dangers inherent in running live penetration tests against critical systems — both to the financial entity itself and to the wider financial sector.

Crucially, this is not a one-time exercise; the control team must keep reviewing those risks throughout the entire testing period.

The article also provides a minimum list of risk categories that must be factored into the assessment, ranging from the risks of giving external testers access to sensitive information, to the possibility of data corruption or service interruption caused by either the attacking (red) or defending (blue) teams, to the risk that systems are not fully restored after testing concludes.

Important points:

The control team must conduct a risk assessment at the preparation stage and continue reviewing it throughout the testing process.
The risk assessment must cover, at minimum, six specific risk areas, including risks from granting access to sensitive information, compliance failures, crisis escalation, red team and blue team activities, and incomplete system restoration.
The scope of concern explicitly extends beyond the financial entity itself to include potential impacts on the broader financial sector and financial stability at Union or national level.

Springlex's summary of the article, a reading aid, not a substitute for the legal text.

1. During the preparation phase referred to in Article 9, the control team shall assess the risks associated with the testing of live production systems of critical or important functions of the financial entity, including potential impacts on:
  1. the financial sector;
  2. the financial stability at Union or national level.
2. The control team shall review those impacts throughout the testing.
1. For the purposes of the risk assessment and management, the control team shall take into account at least the following types of risks related to:
  1. granting access to the threat intelligence provider and external testers, where applicable, to sensitive information on the financial entity;
  2. lack of compliance of the TLPT with Regulation (EU) 2022/2554 and with this Regulation where such lack of compliance results in a lack of the attestation referred to in Article 26(7) of Regulation (EU) 2022/2554, including where such lack of compliance is due to breaches of confidentiality on the TLPT or to a lack of ethical conduct;
  3. crisis and incident escalation;
  4. the active red team phase, including risks related to the interruption of critical activities and the corruption of data due to the activities of the testers, and its potential impacts on third parties;
  5. the blue team activity, including risks related to the interruption of critical activities and the corruption of data due to the activities of the blue team, and its potential impacts on third parties;
  6. the incomplete restoration of systems affected by the TLPT.

Relevant recitals

Recital 9 Secrecy of the TLPT

The secrecy of TLPT is of utmost importance to ensure that the conditions of the testing are realistic. For that reason, testing should be covert, and precautions should be taken to keep the TLPT confidential, including the choice of codenames that should be designed to prevent the identification of the TLPT by third parties. Should staff members responsible for the security of the financial team be aware of a planned or ongoing TLPT, it is likely that they would be more observant and alert than during normal working conditions, thereby resulting in an altered outcome of the testing. Staff members of the financial entity outside of the control team should therefore only be made aware of any planned or ongoing TLPT where there are cogent reasons and subject to the prior agreement of the test managers, inter alia to ensure the secrecy of the test in case a blue team member has detected the testing.

Recital 11 Managing inherent risks of a TLPT

There are inherent elements of risks associated with TLPT as critical functions are tested in a live production environment, with the possibility of causing denial-of-service incidents, unexpected system crashes, damages to critical live production systems, or the loss, modification, or disclosure of data. Those risks highlight the need for robust risk management measures. To ensure that the TLPT is conducted in a controlled manner all along the testing, it is very important that financial entities are at all points aware of the particular risks that arise in a TLPT and that those risk are mitigated. In that respect, without prejudice to the internal processes of the financial entity and the responsibility and delegations already provided to the control team lead, information about the TLPT risk management measures, or, in particular cases the approval of those risk management measures by the financial entity’s management body itself, may be appropriate. To be able to deliver effective and most qualified professional services and to reduce those risks, it is also essential that the testers and threat intelligence providers (together, the TLPT providers) have the highest level of skills, expertise, and an appropriate experience in threat intelligence and TLPT in the financial services industry.

Table of contents

Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.