BLOG POST

Banks and financial institutions are under constant threat from cybercriminals seeking to exploit vulnerabilities and access sensitive customer information. To address these risks, penetration testing has become a cornerstone of compliance with critical regulations such as the Gramm-Leach-Bliley Act (GLBA), Sarbanes-Oxley Act (SOX), and FDIC/FFIEC guidelines.

A penetration test simulates real-world attacks by ethical hackers who mimic the techniques and tools used by malicious actors. The goal is to uncover vulnerabilities in systems, applications, and networks before they can be exploited. The process typically culminates in a detailed report outlining discovered risks, their potential impact, and recommendations for remediation. Often, penetration testing includes follow-up retesting to verify that identified vulnerabilities have been addressed.

This article explores how penetration testing aligns with banking regulations, highlights specific mandates and recommendations from the standards, and demonstrates why it is an essential part of a robust information security program.

FDIC and FFIEC Guidelines

The Federal Deposit Insurance Corporation (FDIC) works closely with the Federal Financial Institutions Examination Council (FFIEC) to establish and enforce IT security standards for financial institutions. The FFIEC is an interagency body composed of five U.S. financial regulators, including the FDIC, the Federal Reserve, and the Office of the Comptroller of the Currency (OCC). Its primary goal is to promote uniform standards for the examination and supervision of financial institutions to ensure their safety, soundness, and compliance with applicable laws and regulations.

By providing comprehensive guidance through publications like the IT Examination Handbook, the FFIEC aims to strengthen the cybersecurity posture of financial institutions. This includes addressing risks to customer information systems, promoting best practices in risk management, and fostering resilience against evolving cyber threats. Penetration testing is a key component of this guidance, supported by both federal regulations and FFIEC recommendations.

Relevant Regulations

12 CFR Appendix B to Part 364 I.B.1.a says:

Identify reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of customer information or customer information systems.

12 CFR Appendix B to Part 364 C.3 says:

Regularly test the key controls, systems, and procedures of the information security program. The frequency and nature of such tests should be determined by the institution's risk assessment. Tests should be conducted or reviewed by independent third parties or staff independent of those that develop or maintain the security programs.

FFIEC IT Handbook IV.A.2(b): Penetration Tests says:

A penetration test subjects a system to real-world attacks selected and conducted by the testers. A penetration test targets systems and users to identify weaknesses in business processes and technical controls. The test mimics a threat source's search for and exploitation of vulnerabilities to demonstrate a potential for loss...

The frequency and scope of a penetration test should be a function of the level of assurance needed by the institution and determined by the risk assessment process. The test can be performed internally by independent groups, internally by the organizational unit, or by an independent third party. Management should determine the level of independence required of the test.

FFIEC IT Handbook IV: Information Security Program Effectiveness says:

The information security program should be subject to periodic review to ensure continual improvement in the program's effectiveness. The review should address the program in the context of the environment in which the program now operates, both within the institution and outside. Lessons learned from experience, audit findings, and other indicators of opportunities for improvement should be identified and the program changed as appropriate.

The FDIC and FFIEC guidelines clearly integrate penetration testing as an essential part of a financial institution's information security program. The requirements and recommendations emphasize the following:

• Risk-Based Testing: Institutions must identify foreseeable internal and external threats (12 CFR Appendix B to Part 364 I.B.1.a) and conduct penetration testing as part of their strategy to address these risks.

• Regular Testing of Controls: Key controls, systems, and procedures must be tested regularly (12 CFR Appendix B to Part 364 C.3), with the frequency and scope determined by the institution’s risk assessment.

• Independent Penetration Testing: According to the FFIEC IT Handbook, penetration testing should simulate real-world attacks and be conducted by independent testers to ensure objectivity and comprehensive coverage. The type and frequency of testing should align with the institution's need for assurance.

• Continuous Improvement: Institutions are expected to review and improve their information security programs regularly, incorporating lessons learned and findings from tests (FFIEC IT Handbook IV).

GLBA and the Safeguards Rule

The Gramm-Leach-Bliley Act (GLBA), enacted in 1999, is a federal law designed to protect the privacy and security of consumers’ personal financial information. It applies to financial institutions and aims to ensure that customer data is handled securely. This includes any company that engages in financial activities and includes not only traditional entities like banks, credit unions, and insurance companies but also non-bank entities such as mortgage brokers, payday lenders, real estate settlement service providers, check-cashing businesses, financial advisors, and auto dealerships offering financing

The Safeguards Rule, updated in 2021, explicitly mentions penetration testing as a part of a robust information security program.

Relevant Regulation

Under 16 CFR § 314.4(d)(2), the Safeguards Rule states:

For information systems, the monitoring and testing shall include continuous monitoring or periodic penetration testing and vulnerability assessments. Absent effective continuous monitoring or other systems to detect, on an ongoing basis, changes in information systems that may create vulnerabilities, you shall conduct:
(i) Annual penetration testing of your information systems determined each given year based on relevant identified risks in accordance with the risk assessment; and
(ii) Vulnerability assessments, including any systemic scans or reviews of information systems reasonably designed to identify publicly known security vulnerabilities...at least every six months.

This means that:

• Annual Penetration Testing is required unless continuous monitoring is implemented.
• Semi-Annual Vulnerability Assessments are mandated for systems handling customer data, with additional assessments after material changes or security-impacting circumstances.

Penetration testing under GLBA is a direct requirement for identifying and mitigating risks to customer information systems.

SOX and Internal Controls Testing

The Sarbanes-Oxley Act (SOX) focuses on financial reporting integrity. While it does not explicitly require penetration testing, it mandates robust internal controls over financial reporting (ICFR).

Relevant Regulation

Section 15 U.S. Code § 7262 - Management Assessment of Internal Controls of the act states:

(a) Rules required:
The Commission shall prescribe rules requiring each annual report...to contain an internal control report, which shall—
(1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and
(2) contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.

(b) Internal control evaluation and reporting:
With respect to the internal control assessment required by subsection (a), each registered public accounting firm that prepares or issues the audit report for the issuer...shall attest to, and report on, the assessment made by the management of the issuer.

This section emphasizes the responsibility of management to establish and maintain adequate internal controls over financial reporting and requires an assessment of their effectiveness at the end of each fiscal year. Additionally, external auditors must attest to and report on management's assessment. While penetration testing is not explicitly required, testing the effectiveness of controls, including those protecting financial systems, is often critical to fulfilling these obligations.

Protecting Your Institution with Aeris Secure Penetration Testing Services

Financial institutions face constant threats from cybercriminals seeking to exploit vulnerabilities and access sensitive customer information. With increasing regulatory pressure from laws like GLBA, SOX, and FDIC/FFIEC guidelines, it’s critical for banks, credit unions and other financial institutions to implement robust security measures and meet compliance standards.

At Aeris Secure, we specialize in delivering comprehensive penetration testing services tailored to the unique needs of financial institutions. Our experienced team works with banks, credit card processors, and payment gateways, leveraging industry best practices to assess vulnerabilities and ensure compliance with stringent regulatory requirements.

Our experts approach each test as both developer and hacker, simulating real-world attacks to uncover potential risks and identify opportunities for intrusion or misuse. But we don’t stop there—Aeris Secure provides actionable insights to strengthen your security posture, with detailed recommendations for prevention, detection, and response.

With Aeris Secure as your partner, you gain access to:

• Proven expertise in financial and compliance-focused security testing.
• A dedicated team of specialists to guide you through remediation.
• Peace of mind knowing your systems are safeguarded and compliant.

Stay ahead of cyber threats and achieve your compliance goals with Aeris Secure. Contact us today to learn more about how we can help protect your institution.

Conclusion

Penetration testing is a critical requirement in the regulatory landscape for banks and financial institutions. From the explicit mandates of the GLBA Safeguards Rule to the risk-based recommendations of the FDIC and FFIEC, these assessments provide the assurance needed to secure customer information and maintain compliance. With Aeris Secure, financial institutions can confidently navigate these requirements and protect against ever-evolving threats.