Article 5
Risk management for TLPT
1. During the preparation phase referred to in Article 9, the control team shall assess the risks associated with the testing of live production systems of critical or important functions of the financial entity, including potential impacts on:
|
(a) |
the financial sector; |
|
(b) |
the financial stability at Union or national level. |
The control team shall review those impacts throughout the testing.
2. For the purposes of the risk assessment and management, the control team shall take into account at least the following types of risks related to:
|
(a) |
granting access to the threat intelligence provider and external testers, where applicable, to sensitive information on the financial entity; |
|
(b) |
lack of compliance of the TLPT with Regulation (EU) 2022/2554 and with this Regulation where such lack of compliance results in a lack of the attestation referred to in Article 26(7) of Regulation (EU) 2022/2554, including where such lack of compliance is due to breaches of confidentiality on the TLPT or to a lack of ethical conduct; |
|
(c) |
crisis and incident escalation; |
|
(d) |
the active red team phase, including risks related to the interruption of critical activities and the corruption of data due to the activities of the testers, and its potential impacts on third parties; |
|
(e) |
the blue team activity, including risks related to the interruption of critical activities and the corruption of data due to the activities of the blue team, and its potential impacts on third parties; |
|
(f) |
the incomplete restoration of systems affected by the TLPT. |