Penetration testing in the modern regulatory and legal landscape

The modern penetration testing market has its roots in the so-called ethical hacking industry, born in the late ‘90s. Today, countless vendors of all sizes compete in the rapidly growing global market, while many organizations still perceive penetration testing merely as an optional best practice or a tedious annual exercise imposed by internal security policy. Others rather care about receiving a “clean” penetration testing executive summary to share with customers, partners or investors. In the meanwhile, mandatory penetration testing has become an inherent part of mushrooming personal data protection laws, privacy and cybersecurity regulations, some of which we will briefly review in this article.

Today, the European GDPR is undoubtedly the Northern Star for privacy legislators around the globe. One can easily find reflection of GDPR’s privacy foundations in the Singaporean PDPA, updated and enhanced in February 2021, in the just-enacted Brazilian LGPD, or in the South African POPIA coming into the effect on July 1. These modern privacy laws come from three different continents, but all of them closely resemble GDPR. They provide individuals with enforceable privacy rights and, among other things, impose robust data protection duties upon the covered entities that process personal information. Data security is an inalienable part of privacy and one of the key concerns of individuals who entrust their personal data to third parties.

Article 32 of GDPR is mostly dedicated to protection of confidentiality, integrity and availability of personal data. The article even concisely mentions regular security testing, however, does not particularly refer to penetration testing or to any other specific security controls or processes. The statutory language of GDPR is purposely left generally vague to give broad discretion to competent courts and national DPAs (Data Protection Authorities) to determine what reasonable, adequate or risk-based cybersecurity should mean in practice.

The recent EDPB (European Data Protection Board) guidelines on data breach notifications (01/2021) fill in the gap for those who are looking for more detailed technical guidance. Regular penetration testing is expressly mentioned in several examples on how hypothetical data breaches could and should have been prevented by the data controller. The guidelines also highlight that penetration testing is to be conducted regularly, is designed to detect vulnerabilities in advance and to fix them before the system goes into production environment.

A similar point of view about penetration testing is shared by the UK national DPA - the Information Commissioner’s Office (ICO) - that continues enforcing the UK GDPR after Brexit. In its comprehensive guide to the UK GDPR, the ICO specifically mentions penetration testing as a tenable way to ensure that your existing security measures are effective. Furthermore, in its penalty notice for the notorious British Airways case (Ref. COM0783542), the ICO unequivocally stipulated (Sections 6.53-6.56 and 6.66) that improperly or infrequently conducted penetration testing is an aggravating factor that, among other things, likely indicates violation of the security requirements imposed by GDPR.

Other jurisdictions follow the European approach to mandatory penetration testing as a part of reasonable and adequate security. For instance, in 2019 the national DPAs of Singapore (PDPC) and Hong Kong (PDPO) jointly developed a detailed guide to data protection by design for ICT systems. The guide expressly points to penetration testing as a good practice to identify and remediate security vulnerabilities. Furthermore, the Singaporean PDPC mentioned penetration testing as a requisite security control in over 60 enforcement decisions for violations of PDPA (Personal Data Protection Act) in Singapore, leaving no doubt about its perception of penetration testing in the regulatory context.

Unsurprisingly, the trend towards obligatory penetration testing is largely supported in the U.S. amid vivid discussions about the need for a federal law to regulate privacy and personal data protection across the country. For instance, the US DoD’s CMMC (Cybersecurity Maturity Model Certification) imposes periodical penetration testing by the CA.4.164 practice for the Level 4 and 5 DoD contractors. The CA.4.227 practice goes even further by requiring a periodical Red Teaming against organizational assets in order to validate defensive capabilities.

In the state of New York, the Department of Financial Services (NYDFS) issued its own cybersecurity regulations (23 NYCRR 500), which are mandatory for financial companies and banks operating in the state. Section 500.05 of the regulations specifically obliges the covered entities to perform penetration testing at least annually.

Interestingly, the well-known PCI DSS standard that, among other things, imposes annual penetration testing of the CDE scope by the Requirement 11.3, was incorporated into the state legislation of Nevada and Washington thereby making PCI DSS infringements a potential violation of the enacted state law. Utah and Ohia recently enacted the so-called safe harbor laws that provide a breached entity with affirmative defense against certain type of legal claims if the entity proves compliance with a recognized cybersecurity standard such as PCI DSS.

Last year, the FTC, being the primary cybersecurity and privacy watchdog at federal level in the US, ordered to implement regular penetration testing in its consent order against Zoom (file no. 192 3167, November 2020) as a part of cybersecurity strategy enhancement at the famous video-conferencing company. Similar provisions addressing penetration testing can be found in other consent orders generously issued by the FTC.

The U.S. HHS’s Office for Civil Rights (OCR) is the principal HIPAA enforcer in the country. The OCR recently published a detailed framework for security and privacy assessment for Centers for Medicare & Medicaid Service (CMS) with a section dedicated to penetration testing.

The SEC’s OCIE (Office of Compliance Inspections and Examinations) released a risk alert notice in November 2020, elaborating most frequent deficiencies and violations of the Compliance Rule under the Investment Advisers Act of 1940. The OCIE emphasized that safeguards for clients’ privacy, imposed by the Act upon the covered financial advisers, should include, among other things, a properly established and documented penetration testing program.

As described above, even absent a specific language in the applicable law, states and governmental authorities globally converge that penetration testing is an implied legal duty and must be regularly conducted to ensure reasonably sufficient data protection in their jurisdictions.

Finally, after the SolarWinds gate, gradually more businesses and governmental entities started taking their third-party risk management program seriously. They are now asking suppliers not only for ISO 27001 or SOC 2 annual audits reports, but to also for summaries of penetration testing reports and remediation steps taken. Such practice becomes a widespread contractual requirement to do business with many large companies when suppliers handle sensitive data or trade secrets. The contractual provisions can be enforced in court, leading to stipulated monetary damages and early contract termination by the client for breach of contractual data protection duties.

Organizations should start perceiving penetration testing not as a formalistic or superfluous security task but as a legal duty and, most importantly, as a valuable contribution to their competitiveness on the global market where customers strongly value that you care about security of their data.

Ransomware and the propulsion of the extortion economy has rapidly eclipsed into a national priority. Recently, we observed the catastrophic impact of a widescale ransomware attack impacting gas pipelines and raising national gas prices overnight.