Global Trade Organization Aims to Facilitate Global Regulatory and Industry Coordination on Cybersecurity

HONG KONG, LONDON and WASHINGTON, 3 APRIL 2018 – The Global Financial Markets Association (GFMA) today published A Framework for the Regulatory Use of Penetration Testing in the Financial Services Industry.

This Framework is designed to create an agreed upon approach for regulators and financial services firms to conduct effective testing to satisfy both supervisory and firm originated requirements.  The Framework’s objectives are to:

  • Engage regulators globally with a common framework to facilitate open dialogue;
  • Ensure regulatory concerns and recommendations are considered; and,
  • Establish an industry-wide process where emerging technologies, threats, industry-leading practices and regulatory requirements drive continued iteration of the Framework.

The Framework builds upon the set of principles GFMA issued in late 2017 to guide the development of a commonly accepted framework for cybersecurity penetration testing which were designed to:

  • Provide regulators the ability to guide penetration testing and red teaming programs to meet supervisory objectives through use of scenarios based on current risks that drive scheduling and scoping of testing activities
  • Provide regulators with a high degree of confidence that testing is conducted by trained, certified and qualified personnel with sophisticated tools that can accurately emulate adversaries as required
  • Provide regulators transparency into the testing process and results for both regulator-driven and firm-driven testing as well as assurance that firm governance identifies and properly addresses weaknesses
  • Ensure testing activities are conducted in a manner that minimizes operational risks and ensures data security by including strict protocols for distributing test data and results

Penetration testing serves as one of the foremost tools in enabling a robust security program for financial institutions. Such testing allows firms to evaluate their systems and the controls that protect them in order to identify and remediate vulnerabilities, thereby strengthening their infrastructure against cyber threats.

“The GFMA Pen Testing Framework provides a guide for the development of a safe, secure and scalable testing program which provides a basis for joint agreement between financial service firms and regulators for conducting effective testing while managing operational risk,” said Allison Parent, GFMA’s Executive Director.  “The industry believes regulatory consistency is critical to efficient and effective cybersecurity. We are hopeful the level of coordination outlined in the Framework allows for the continued confidence and growth of the world’s financial markets and economy.”

The Framework outlines a four-phased Testing Lifecycle to ensure firms are following industry best practices while simultaneously meeting regulatory demands. The four phases of firm-led red teaming or penetration testing are the following:

  • Threat Intelligence Phase – A firm’s internal intelligence should be augmented by government agencies and sector level financial industry resources.  Final threat intelligence scenarios should be approved by regulators where applicable.
  • Planning Phase – Test activities should be prioritized and scheduled according to threat intelligence and regulator input in planning the scope of the exercise.
  • Testing Phase – Testing should begin after operational planning and attack methodologies are agreed upon.
  • Analysis and Response Phase – This phase will include the development of executive / technical reports and associated firm response.  Summary versions of these final reports may be distributed internally within the firm and to regulators and would include a sign-off from the organization’s Board on
    the identified vulnerabilities and associated remediation plan.

The target audience for this Framework includes those in the financial services industry who conduct, rely or call for the execution of penetration testing and red teaming, including regulators, firm executives, information security professionals, information technology specialists, testers, third party stakeholders and industries outside financial services.

A number of jurisdictions around the world already leverage penetration testing in their regulatory regime.  The goal of the GFMA proposal is not to compete with existing frameworks but rather to coordinate their development and use to ensure that financial institutions are able to safely,
securely and efficiently increase their cyber resilience while complying with their supervisory requirements. The GFMA penetration testing framework is similarly aligned with the G-7’s broader recommendations on how institutions can conduct effective cybersecurity assessments, promoting safe and effective testing methods.

The full Framework document is available



Corliss Ruggles          +852 9359 6996         

Rebecca Hansford     + 44 (0)20 3828 2693

Liz Pierce                   +1 (212) 313-1173     


  • The Global Financial Markets Association (GFMA) brings together three of the world’s leading financial trade associations to address the increasingly important global regulatory agenda and to promote coordinated advocacy efforts. The Association for Financial Markets in Europe (AFME) in London, Brussels and Frankfurt, the Asia Securities Industry & Financial Markets Association (ASIFMA) in Hong Kong and the Securities Industry and Financial Markets Association (SIFMA) in New York and Washington are, respectively, the European, Asian and North American members of GFMA. For more information, visit