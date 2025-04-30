    StartseiteNachrichtenPressemitteilungenNachricht

    Financial Service Providers Need to Catch Up on TLPT / Keith Poyser on DORA

    "A penetration test every three years is ineffective, irrelevant and immediately out of date. Monthly, or weekly testing is far more effective."

    London (ots) - Since the implementation of the Digital Operational Resilience
    Act ( DORA (https://horizon3.ai/downloads/whitepapers/dora/) ) on January 17th
    this year, financial institutions in the EU are required to conduct regular
    Threat-Led Penetration Testing (TLPT). This involves using real-world
    cyber-attack techniques to assess IT infrastructures and identify exploitable
    attack vectors before they are discovered by threat actors. "While this is a
    positive step, the mandated three-year testing cycle is far too long given the
    fast-paced nature of cybercrime," said security expert Keith Poyser
    (https://www.linkedin.com/in/keith-poyser-883979/?originalSubdomain=uk) , Vice
    President for EMEA at cybersecurity company Horizon3.ai (http://horizon3.ai/) .
    The company operates the autonomous pentesting platform NodeZero®, where
    financial service providers can conduct penetration tests on their IT
    infrastructure, cloud and kubernetes environments, as often as they like to
    identify potential security gaps. Poyser points to findings from Horizon3.ai's
    "Cyber Security Report UK 2024/25" according to which 70 percent of
    organisations questioned have fallen victim to a cyberattack at least once in
    the past two years.

    "Given the increasing frequency of cyberattacks, it is unacceptable for a
    financial services provider to assess just once every three years whether their
    IT infrastructure is capable of withstanding an attack or if it will fail,"
    explained Poyser. He further added: "With cybercriminals becoming ever more
    aggressive, an exploit focused, impact prioritised, high frequency, modern
    testing regime, with fix actions and re-tests, has to be a key part of any
    sensible strategy for financial services institutions."

    "Like Finding a Needle in a Haystack"

    According to the industry veteran, the biggest challenge is identifying which of
    the vast number of potential IT weaknesses or vulnerability "noise" are real
    world exploitable within an organisation, and prioritising these for quick
    remediation. "The list of potential entry points is long, ranging from outdated
    software somewhere in the system, weak or reused passwords, or excessively broad
    access rights for individual employees, to threats arising from the software
    supply chain," explained Poyser, illustrating the scale of the task. He
    continued: "In this typically heterogeneous and complex IT landscape, finding a
    security gap is like searching for the proverbial needle in a haystack. Threat
    actors manage to do it, which is why financial service providers need to use the
    same methods as cybercriminals to stay one step ahead. And that's exactly what
    penetration tests are: searching for needles in your own IT haystack before
