MFSA Issues Guidance on Threat-Led Penetration Testing Code of Conduct

Threat-Led Penetration Testing - TLPT

The Malta Financial Services Authority (MFSA) has published critical guidance to support the development of Codes of Conduct for Threat-Led Penetration Testing (TLPT) providers and financial entities. Addressing the advanced testing protocols mandated by the Digital Operational Resilience Act (DORA), the guidelines and accompanying circular provide a definitive blueprint for constructing these mandatory ethical frameworks, ensuring that entities providing TLPT services operate with integrity, transparency, and the necessary technical competence to safeguard live production systems.

Financial Entities and the TLPT Requirement

Under the DORA framework, mere vulnerability scanning is no longer sufficient for critical players. The regulation mandates that financial entities which are required to carry out advanced testing, must undertake TLPT at least once every three years.

TLPT is a highly sophisticated exercise that mimics the tactics, techniques, and procedures of real-life threat actors, enabling entities to test their resilience against simulated, high-impact cyber-attacks on their live production systems. Although not every financial entity is obliged to conduct such exhaustive testing, those that are, must navigate a strict procurement and execution process.

Eligible TLPT Providers

Financial entities are thus required to engage qualified testers and threat intelligence providers. These professionals can be either internal employees of the financial entity or external ICT third-party service providers. However, DORA imposes strict eligibility criteria. Article 27(1) of the DORA Regulation stipulates that financial entities may only utilise testers who are either certified by an accreditation body within an EU Member State or who adhere to formal codes of conduct or ethical frameworks. This specific requirement acts as a vital gatekeeper, ensuring that only highly professional and ethical providers gain access to the sensitive live systems of the financial sector.

The Rationale Behind the MFSA Guidance

To supplement the obligations set out in DORA, the MFSA, acting as the designated TLPT authority for Malta, collaborated with the TIBER-EU Knowledge Centre to develop the "TLPT Codes of Conduct Guidance Document". The primary purpose of this guidance is to establish clear expectations and best practices for constructing these ethical frameworks. By providing this blueprint, the MFSA aims to enhance the suitability of external ICT service providers and internal testers, ensuring they carry out tests safely and effectively through the European framework for Threat Intelligence-Based Ethical Red Teaming (TIBER-EU). Ultimately, the guidance fosters trust and provides assurance to financial entities that their chosen providers will act with the utmost professionalism.

Core Principles of Conduct

The MFSA's guidance document advises that a robust Code of Conduct should be anchored in five core principles. ICT service providers developing their own frameworks must pay close attention to these pillars to ensure regulatory alignment and commercial viability.

1. Ethical Conduct - Providers are expected to maintain an unimpeachable standard of behaviour by completely avoiding associations with malicious hackers and strictly prohibiting the use of illegally obtained software. Furthermore, providers must proactively manage and disclose any conflicts of interest. Thus, if an ICT service provider previously offered consultancy services to the financial entity or holds a financial stake in its operations, this must be declared, as it could compromise objectivity. The guidelines also demand transparency, requiring testers to report any unlawful actions discovered during an engagement to the competent authorities without delay.
2. Testing Activity - The guidance emphasises that providers must strictly operate within the agreed scope of the test and respect fundamental rights. Social engineering tactics, such as phishing, are permitted only if explicitly authorised and conducted without causing disproportionate harm to employees or third parties. Crucially, testers must actively avoid causing disruptions, such as data deletion or server downtime. Should they uncover a genuine, severe vulnerability or an ongoing real-world intrusion, all testing must cease immediately, and the financial entity must be alerted. Finally, comprehensive clean-up activities must be executed to ensure no residual artifacts compromise the system post-testing.
3. Reporting, Record Keeping, and Information Exchange - Written deliverables are the tangible outcome of a TLPT exercise, providing the insights needed to improve resilience. The guidance mandates that all reports must be legible, grammatically correct, and comprehensible to both technical staff and non-technical management. Providers must maintain strict accountability for every action taken during the test and clearly label the security classification of all materials using the Traffic Light Protocol (TLP+) system. Moreover, rigorous data processing controls must be maintained to protect sensitive information collected during the engagement.
4. Suitability - Providers are required to demonstrate an unblemished professional background. The guidance sets standards akin to the fitness and properness assessment conducted by the MFSA. Providers are thus expected to disclose any history of dismissals, revoked memberships, or disciplinary actions from regulatory bodies. They must also confirm they are not currently under criminal or civil investigation, nor have they operated without the necessary licences in the past. This rigorous vetting process is essential for financial entities to assess the risks associated with granting external parties access to their critical infrastructure.
5. Protection of Intellectual Property - In the highly technical sphere of cybersecurity, proprietary tools and methodologies are widespread. The MFSA stresses that TLPT providers must respect the intellectual property rights of third parties. This includes ensuring that all software used during testing is fully licensed, properly credited, and never obtained through misappropriation or theft from former employers or competitors.

The MFSA's guidance marks a significant step in operationalising the DORA testing requirements in Malta. For financial entities, it provides a benchmark for vetting and trusting the professionals tasked with probing their defences. For ICT service providers and threat intelligence experts, it serves as an indispensable roadmap. By crafting a Code of Conduct aligned with these five core principles, service providers can not only achieve compliance but also distinguish themselves as trusted, ethical partners for financial entities.

For any further information or assistance, please contact us at info@gtg.com.mt

Author: Dr Cherise Abela Grech