Security Magazine logo
  • Sign In
  • Create Account
  • Sign Out
  • My Account
  • NEWS
  • MANAGEMENT
  • PHYSICAL
  • CYBER
  • BLOG
  • COLUMNS
  • EXCLUSIVES
  • SECTORS
  • EVENTS
  • MEDIA
  • MORE
  • EMAG
  • SIGN UP!
cart
facebook twitter linkedin youtube
  • NEWS
  • Security Newswire
  • Technologies & Solutions
  • MANAGEMENT
  • Leadership Management
  • Enterprise Services
  • Security Education & Training
  • Logical Security
  • Security & Business Resilience
  • Profiles in Excellence
  • PHYSICAL
  • Access Management
  • Fire & Life Safety
  • Identity Management
  • Physical Security
  • Video Surveillance
  • Case Studies (Physical)
  • CYBER
  • Cybersecurity News
  • More
  • COLUMNS
  • Cyber Tactics
  • Leadership & Management
  • Security Talk
  • Career Intelligence
  • Leader to Leader
  • Cybersecurity Education & Training
  • EXCLUSIVES
  • Annual Guarding Report
  • Most Influential People in Security
  • The Security Benchmark Report
  • Top Guard and Security Officer Companies
  • Top Cybersecurity Leaders
  • Women in Security
  • SECTORS
  • Arenas / Stadiums / Leagues / Entertainment
  • Banking/Finance/Insurance
  • Construction, Real Estate, Property Management
  • Education: K-12
  • Education: University
  • Government: Federal, State and Local
  • Hospitality & Casinos
  • Hospitals & Medical Centers
  • Infrastructure:Electric,Gas & Water
  • Ports: Sea, Land, & Air
  • Retail/Restaurants/Convenience
  • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
  • Industry Events
  • Webinars
  • Solutions by Sector
  • Security 500 Conference
  • MEDIA
  • Videos
  • Podcasts
  • Polls
  • Photo Galleries
  • Videos
  • Cybersecurity & Geopolitical Discussion
  • Ask Me Anything (AMA) Series
  • MORE
  • Call for Entries
  • Classifieds & Job Listings
  • Continuing Education
  • Newsletter
  • Sponsor Insights
  • Store
  • White Papers
  • EMAG
  • eMagazine
  • This Month's Content
  • Advertise
Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementSecurity & Business Resilience

Penetration testing in the modern regulatory and legal landscape

By Ilia Kolochenko
GDPR and data protection in today's legal landscape
June 22, 2021

The modern penetration testing market has its roots in the so-called ethical hacking industry, born in the late ‘90s. Today, countless vendors of all sizes compete in the rapidly growing global market, while many organizations still perceive penetration testing merely as an optional best practice or a tedious annual exercise imposed by internal security policy. Others rather care about receiving a “clean” penetration testing executive summary to share with customers, partners or investors. In the meanwhile, mandatory penetration testing has become an inherent part of mushrooming personal data protection laws, privacy and cybersecurity regulations, some of which we will briefly review in this article.

Today, the European GDPR is undoubtedly the Northern Star for privacy legislators around the globe. One can easily find reflection of GDPR’s privacy foundations in the Singaporean PDPA, updated and enhanced in February 2021, in the just-enacted Brazilian LGPD, or in the South African POPIA coming into the effect on July 1. These modern privacy laws come from three different continents, but all of them closely resemble  GDPR. They provide individuals with enforceable privacy rights and, among other things, impose robust data protection duties upon the covered entities that process personal information. Data security is an inalienable part of privacy and one of the key concerns of individuals who entrust their personal data to third parties.

Article 32 of GDPR is mostly dedicated to protection of confidentiality, integrity and availability of personal data. The article even concisely mentions regular security testing, however, does not particularly refer to penetration testing or to any other specific security controls or processes. The statutory language of GDPR is purposely left generally vague to give broad discretion to competent courts and national DPAs (Data Protection Authorities) to determine what reasonable, adequate or risk-based cybersecurity should mean in practice.

The recent EDPB (European Data Protection Board) guidelines on data breach notifications (01/2021) fill in the gap for those who are looking for more detailed technical guidance. Regular penetration testing is expressly mentioned in several examples on how hypothetical data breaches could and should have been prevented by the data controller. The guidelines also highlight that penetration testing is to be conducted regularly, is designed to detect vulnerabilities in advance and to fix them before the system goes into production environment.

A similar point of view about penetration testing is shared by the UK national DPA - the Information Commissioner’s Office (ICO) - that continues enforcing the UK GDPR after Brexit. In its comprehensive guide to the UK GDPR, the ICO specifically mentions penetration testing as a tenable way to ensure that your existing security measures are effective. Furthermore, in its penalty notice for the notorious British Airways case (Ref. COM0783542), the ICO unequivocally stipulated (Sections 6.53-6.56 and 6.66) that improperly or infrequently conducted penetration testing is an aggravating factor that, among other things, likely indicates violation of the security requirements imposed by GDPR.

Other jurisdictions follow the European approach to mandatory penetration testing as a part of reasonable and adequate security. For instance, in 2019 the national DPAs of Singapore (PDPC) and Hong Kong (PDPO) jointly developed a detailed guide to data protection by design for ICT systems. The guide expressly points to penetration testing as a good practice to identify and remediate security vulnerabilities. Furthermore, the Singaporean PDPC mentioned penetration testing as a requisite security control in over 60 enforcement decisions for violations of PDPA (Personal Data Protection Act) in Singapore, leaving no doubt about its perception of penetration testing in the regulatory context.

Unsurprisingly, the trend towards obligatory penetration testing is largely supported in the U.S. amid vivid discussions about the need for a federal law to regulate privacy and personal data protection across the country. For instance, the US DoD’s CMMC (Cybersecurity Maturity Model Certification) imposes periodical penetration testing by the CA.4.164 practice for the Level 4 and 5 DoD contractors. The CA.4.227 practice goes even further by requiring a periodical Red Teaming against organizational assets in order to validate defensive capabilities.

In the state of New York, the Department of Financial Services (NYDFS) issued its own cybersecurity regulations (23 NYCRR 500), which are mandatory for financial companies and banks operating in the state. Section 500.05 of the regulations specifically obliges the covered entities to perform penetration testing at least annually.

Interestingly, the well-known PCI DSS standard that, among other things, imposes annual penetration testing of the CDE scope by the Requirement 11.3, was incorporated into the state legislation of Nevada and Washington thereby making PCI DSS infringements a potential violation of the enacted state law. Utah and Ohia recently enacted the so-called safe harbor laws that provide a breached entity with affirmative defense against certain type of legal claims if the entity proves compliance with a recognized cybersecurity standard such as PCI DSS.

Last year, the FTC, being the primary cybersecurity and privacy watchdog at federal level in the US, ordered to implement regular penetration testing in its consent order against Zoom (file no. 192 3167, November 2020) as a part of cybersecurity strategy enhancement at the famous video-conferencing company. Similar provisions addressing penetration testing can be found in other consent orders generously issued by the FTC.

The U.S. HHS’s Office for Civil Rights (OCR) is the principal HIPAA enforcer in the country. The OCR recently published a detailed framework for security and privacy assessment for Centers for Medicare & Medicaid Service (CMS) with a section dedicated to penetration testing.

The SEC’s OCIE (Office of Compliance Inspections and Examinations) released a risk alert notice in November 2020, elaborating most frequent deficiencies and violations of the Compliance Rule under the Investment Advisers Act of 1940. The OCIE emphasized that safeguards for clients’ privacy, imposed by the Act upon the covered financial advisers, should include, among other things, a properly established and documented penetration testing program.

As described above, even absent a specific language in the applicable law, states and governmental authorities globally converge that penetration testing is an implied legal duty and must be regularly conducted to ensure reasonably sufficient data protection in their jurisdictions. 

Finally, after the SolarWinds gate, gradually more businesses and governmental entities started taking their third-party risk management program seriously. They are now asking suppliers not only for ISO 27001 or SOC 2 annual audits reports, but to also for summaries of penetration testing reports and remediation steps taken. Such practice becomes a widespread contractual requirement to do business with many large companies when suppliers handle sensitive data or trade secrets. The contractual provisions can be enforced in court, leading to stipulated monetary damages and early contract termination by the client for breach of contractual data protection duties.

Organizations should start perceiving penetration testing not as a formalistic or superfluous security task but as a legal duty and, most importantly, as a valuable contribution to their competitiveness on the global market where customers strongly value that you care about security of their data. 

KEYWORDS: cyber security cyber security initiatives cybersecurity preparedness pen test pentesting risk and resilience

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Ilia kolochenko immuniweb 20212

Ilia Kolochenko is Founder, CEO and Chief Architect at ImmuniWeb.(Image courtesy of Kolochenko)

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Security Enterprise Services
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Security Leadership and Management
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Cybersecurity
    By: Charles Denyer
close

1 COMPLIMENTARY ARTICLE(S) LEFT

Loader

Already Registered? Sign in now.

Manage My Account
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

Security’s Top 5 – 2024 Year in Review

Security’s Top 5 – 2024 Year in Review

Middle East Escalation, Humanitarian Law and Disinformation – Episode 25

Middle East Escalation, Humanitarian Law and Disinformation – Episode 25

The Money Laundering Machine: Inside the global crime epidemic - Episode 24

The Money Laundering Machine: Inside the global crime epidemic - Episode 24

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Sureview screen
    Sponsored bySureView Systems

    The Evolution of Automation in the Command Center

  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

Popular Stories

Rendered computer with keyboard

16B Login Credentials Exposed in World’s Largest Data Breach

Verizon on phone screen

61M Records Listed for Sale Online, Allegedly Belong to Verizon

Security’s 2025 Women in Security

Security’s 2025 Women in Security

blurry multicolored text on black screen

PowerSchool Education Technology Company Announces Data Breach

Half closed laptop

Sudo Vulnerability Discovered, May Exposes Linux Systems

Events

August 7, 2025

Threats to the Energy Sector: Implications for Corporate and National Security

The energy sector has found itself in the crosshairs of virtually every bad actor on the global stage.

August 27, 2025

Risk Mitigation as a Competitive Edge

In today’s volatile environment, a robust risk management strategy isn’t just a requirement—it’s a foundation for organizational resilience. From cyber threats to climate disruptions, the ability to anticipate, withstand, and adapt to disruption is becoming a hallmark of industry leaders.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • Penetration Testing by Letter of the Law

    See More
  • computer in dark room with green screen

    The one-two punch of compliance auditing and penetration testing

    See More
  • Security Professional

    How banks elevate security in the modern threat landscape

    See More

Related Products

See More Products
  • intelligent.jpg

    Intelligent Network Video: Understanding Modern Video Surveillance Systems, Second Edition

  • 9780367030407.jpg

    National Security, Personal Privacy and the Law

  • 150952519X.jpg

    Intelligence in An Insecure World, 3rd Edition

See More Products
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing

Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!