Article 6 Risk management for pooled or joint TLPTs

There are inherent elements of risks associated with TLPT as critical functions are tested in a live production environment, with the possibility of causing denial-of-service incidents, unexpected system crashes, damages to critical live production systems, or the loss, modification, or disclosure of data. Those risks highlight the need for robust risk management measures. To ensure that the TLPT is conducted in a controlled manner all along the testing, it is very important that financial entities are at all points aware of the particular risks that arise in a TLPT and that those risk are mitigated. In that respect, without prejudice to the internal processes of the financial entity and the responsibility and delegations already provided to the control team lead, information about the TLPT risk management measures, or, in particular cases the approval of those risk management measures by the financial entity’s management body itself, may be appropriate. To be able to deliver effective and most qualified professional services and to reduce those risks, it is also essential that the testers and threat intelligence providers (together, the TLPT providers) have the highest level of skills, expertise, and an appropriate experience in threat intelligence and TLPT in the financial services industry.