FCA Penetration Testing
Compliance responsibilities of businesses cover various national, regional, and industry-specific laws and regulations. In our previous posts, we have discussed penetration testing and vulnerability scanning requirements for complying with ISO 27001 and PCI DSS and NIST 800-171. In this article, we will be discussing penetration testing for FCA and how BreachLock helps its clients in fulfilling the requirements.
Financial Conduct Authority (FCA) is a UK regulatory authority that is responsible for regulating financial service firms. Overall, it covers over 58,000 businesses employing 2.2 million individuals across the United Kingdom. For a financial service firm to operate in the UK, it must seek authorization from FCA first. This authorization process involves filling an IT Self-Assessment Questionnaire.
Role of IT Self-Assessment Questionnaire
The questionnaire consists of 6 sections and 26 questions. The possible answers can be yes, no, and not applicable. Answers to these questions help in deciding whether you need to fill the IT Controls Form, and if yes, which one?
A firm has to fill the Detailed IT Controls Form if:
- the applicant firm is a bank or a multilateral trading facility
- the applicant firm has answered “Yes” to any question in Section 2
An applicant firm has to fill the IT Controls Form if it has answered “Yes” to more than four questions in Section 4, 5, and 6. If an applicant firm answers “No” to all the questions in Section 1 or answers “Yes” to four or fewer questions in Section 4, 5, and 6, it does not need to fill either of the IT Control Forms. For this article, we are considering the requirements from the Detailed IT Controls Form.
Penetration Testing Requirements for FCA Authorization
The Detailed IT Controls Form has seven sections, and each section has a specified objective and requirements to achieve. Since we are focussing on penetration testing in this article, the following requirements are relevant:
Section | Requirement | Details |
Section 2: IT Risk Management | 2.04 |
|
Section 3: Project and Change Management | 3.1.01 |
|
3.5.05 |
|
|
3.6.01 |
(Requirement 3.6.02 expects an applicant firm to mention the frequency of reviews and audits.) |
|
Section 5: Information Security Controls | 5.2 | Implementation of basic information security practices:
|
5.4 | Effective monitoring, reviewing, and testing of security
(A firm must conduct independent internal and external penetration testing and confirm that vulnerabilities have been fixed at least two weeks before the launch.) |
|
Section 8: Supporting Documents | 8.12 |
|
How does BreachLock help?
It is clear from the above discussion that FCA expects financial service companies to perform penetration testing exercises at regular intervals. To meet FCA requirements, BreachLock offers end-to-end security testing that covers web applications, mobile applications, servers, networks, cloud environments, and APIs. While annual penetration testing is mandatory, FCA also expects firms to conduct penetration tests when there is a modification or change in the supporting network infrastructure. Through our cloud platform, our clients can order tests and re-tests with a few clicks. Our approach combines the knowledge of human experts and AI-based automated tools to offer comprehensive penetration testing services to our clients. Get in touch with BreachLock experts today!