Red Team Testing to Meet Regulatory Requirements
What are Red Team Testers?
Red team testers play the role of an adversary and use threat intelligence to reproduce probable attack scenarios and identify gaps in cyber preparedness.
What is Red Team Testing to Meet Regulatory Requirements?
Regulatory red team testing simulates real-world attacks on the digital infrastructure and involves regulators across all stages to ensure alignment with regulatory requirements. Certified penetration and vulnerability testers evaluate technical prevention controls, detection capabilities, and incident response planning by emulating the tactics, techniques, and procedures (TTPs) commonly used by adversaries.
This includes measuring the organization’s cyber resilience against real-world threats, including social engineering, malware deployment, and sensitive data exfiltration techniques.
Red Team Testing – The Why and When
Did You Know?
One cyber attack can erode 21 percent of shareholder value1 and the global average cost per data breach is $4.45 million US dollars2.
The threat is significant, and it is more considerable for financial institutions that may be subject to applicable legal requirements regarding cyber security and the protection of sensitive information. Organizations that fail to improve cyber resilience may be subject to financial penalties.
Red team testing is not just a recommendation; it's a necessity.
How Aon Can Help
Few teams can lead a complex red team testing engagement. Aon has a long history of delivering red team testing based on relevant UK and global frameworks, including:
- CBEST, for tier-one financial institutions and mandated by the Bank of England, Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA).
- STAR-FS, for smaller organizations, and overseen by the PRA and FCA.
- TIBER-EU / DORA, the cross-border European framework from the European Central Bank.
- iCAST, the Hong Kong Monetary Authority framework.
Aon red team testers hold CREST Certified Simulated Attack Managers and CREST Certified Simulated Attack Specialists certifications — a recognition of the high level of knowledge and experience in testing financial institutions. Internationally recognized, these accreditations demonstrate the high standards of our team's ability to conduct simulated attacks and identify vulnerabilities in financial institutions' digital infrastructures.
1 Aon. Cyber Resilience Report 2023. Navigating the path towards cyber and business resilience.
2 IBM. Cost of a Data Breach Report 2023.
Insurance products and services are offered by Aon Risk Insurance Services West, Inc., Aon Risk Services Central, Inc., Aon Risk Services Northeast, Inc., Aon Risk Services Southwest, Inc., and Aon Risk Services, Inc. of Florida, and their licensed affiliates.
The information contained herein and the statements expressed are of a general nature, not intended to address the circumstances of any particular individual or entity and provided for informational purposes only. The information does not replace the advice of legal counsel or a cyber insurance professional and should not be relied upon for any such purpose. Although we endeavor to provide accurate and timely information and use sources we consider reliable, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future.
FP.RISK.2024.140.SD