How banks can security penetration test outsourced systems

Institutions are required to ensure that they are able to carry out security penetration testing on outsourced service provider's systems under European Banking Authority (EBA) guidelines on outsourcing arrangements. It is one of the more challenging hurdles that institutions face when seeking to comply with the guidelines.

The requirement, which applies to both critical and non-critical outsourcing arrangements, is that the institution should, where relevant, be able to assess the effectiveness of any implemented cyber and internal information and communication technology (ICT) security measures and processes of the outsourced service provider. 

Compliance with the requirement will enable the institution to monitor and understand the security measures in place in relation to its outsourced services. Having an overview of those measures will allow institutions to anticipate and better deal with security incidents, which means that the institution and the outsourced function will be more resilient than if the institution lacks understanding of its outsourced service provider's security measures.

The requirement on security penetration testing only applies "where relevant", but the EBA's guidelines do not specify how institutions should assess whether penetration testing is relevant. However, taking the obligation in reverse, if cyber and internal ICT security measures and processes are utilised by the service provider and these are applicable to the outsourced function, then it is very likely to be relevant.

Institutions will also need to consider the relevance of security penetration testing in the context of its general risk assessment of the service provider. Where security penetration testing forms part the risk management processes applied to the service provider then it will definitely be relevant. This assessment will primarily need to be made by information security team, or equivalent, within institutions.  

In our experience, service providers generally challenge and raise concerns about institutions seeking contractual rights to carry out security penetration testing on their systems. The most common concern is that security penetration testing carried out by the institutions would, in itself, create a security risk to their systems and to their other customers. Service providers have also raised the point that penetration testing carried out by an institution could cause damage to their systems. From the perspective of compliance with the EBA's guidelines, however, these concerns cannot be used as a barrier to institutions having the right to carry out penetration testing where it is relevant. Solutions must be found which balance the service providers' concerns and the institutions obligations under the guidelines. 

How to deal with service provider concerns

The starting position is that the institution should have the right itself to conduct the security penetration testing. However, in a similar vein to third party certifications being used a precursor to a full audit right, consideration may be given to allowing the service provider to procure the services of a third party service provider to undertake the security penetration testing and the report being made available to the institution. Equally, if the service provider has the internal competency to do the testing itself then this may be considered as an option also. If this "testing and report" option is considered, the institution will need to consider a number of factors, including:

• How often the testing should be carried out. Institutions will need to decide whether providing for testing on an annual basis is sufficient or whether to seek to have the right to request testing in addition to the annual test in other circumstances, such as where there has been a security breach involving the institution's data;

   

• Whether there are any minimum qualifications or accreditations they should require the testers to have. Institutions should further consider whether they would want to specify the methodology adopted by the testers;

   

• What the report of the testing will contain, including whether they will have access to the full report or a summary. If a summary, institutions will want to evaluate what level of detail they require to be included, such as the number of issues identified, levels of severity, and any remedial actions taken;

To meet the EBA's guideline requirements, the institution will always need to have the right itself to carry out security penetration testing. The outsourcing agreement between the institution and service provider will therefore need to stipulate the situations in which this direct right will arise. This inevitably will trigger the service providers' concerns about confidentiality risks and potential damage, but in our experience, working closely with client's information security teams, these issues can be overcome by getting into the detail on what exactly will be the subject of the security penetration testing and the methodology to be adopted.