On 3 April 2018, the Global Financial Markets Association (GFMA) published A Framework for the Regulatory Use of Penetration Testing in the Financial Services Industry. The framework provides a guide for the development of a cyber security penetration testing framework comprising of a four phased testing lifecycle:

  • Threat intelligence phase – a firm’s internal intelligence should be augmented by government agencies and sector level financial industry resources. Final threat intelligence scenarios should be approved by regulators, where applicable;
  • Planning phase – test activities should be prioritised and scheduled according to threat intelligence and regulator input in planning the scope of the exercise;
  • Testing phase – testing should begin after operational planning and attack methodologies are agreed upon; and
  • Analysis and response phase – this phase includes the development of executive / technical reports and associated firm responses.