日本語
“Widespread and serious.” “Significant disruption.” “An IT meltdown.”
These are just some of the phrases used in recent news reports describing financial ICT systems that have experienced outages or attacks.
Lost revenues aside, consumers are often negatively impacted by the fallout. Just this month, thousands of Bank of America customers logged into their accounts to mistakenly see zero balances. Reports indicate it took the bank the remainder of the day to fix as customer complaints poured in.
Consider the extreme stress factor where hours may seem like a lifetime to customers when financial assets appear lost, or in jeopardy. Sometimes, these issues drag on much longer.
In 2018, TSB Bank in the UK triggered a major network crash when attempting to move a high volume of bank records. The fallout took eight months to resolve for more than five million customers. The UK’s Financial Conduct Authority (FCA) ultimately fined TSB £49M. This was in addition to the £32.7M paid as compensation to affected customers.
This summer, we covered CrowdStrike’s defect found in a single content update for Windows hosts, which wreaked worldwide IT havoc to the tune of $5.4B in losses for Fortune 500 companies.
A growing number of regulators have seen enough. Globally, various initiatives are underway to publish or update a slate of operational resilience acts for the banking, financial services, and insurance (BFSI) sector.
The EU has introduced the Digital Operational Resilience Act (DORA) and the UK’s FCA has released operational resilience rules – both go into effect in 2025. In the U.S., the Federal Deposit Insurance Corporation (FDIC), Office of the Comptroller of the Currency (OCC), and the Board of Governors of the Federal Reserve System updated a joint Sound Practices to Strengthen Operational Resilience paper to specify preparedness for cybersecurity threats.
At a minimum, the growing number of regulatory compliance requirements mandate BFSI institutions conduct annual – and in some cases, biannual – operational resilience testing to ensure and certify ICT systems can withstand cyberattacks and disruptions. These frameworks involve an array of financial operations, warranting institutions adhere to standards designed to mitigate risk, protect consumers, and maintain economic stability.
The new demands put a magnifying glass on the shortcomings of legacy test systems BFSI institutions have in place today. Many organizations maintain multiple siloed lab environments comprising outdated or constrained equipment. They’re typically a drain on financial resources and are unable to provide realistic simulations of modern cyberattack scenarios or disruptions, such as replicating complex network topologies, traffic patterns, or specific attacks.
There’s also massive inefficiency to contend with as too many testing processes remain predominantly manual, ballooning costs and impeding testing productivity and timeframes. And with biannual compliance requirements, that’s a major heartburn.
Since lab environments are too often managed by different teams with limited coordination, they frequently lack full utilization. The infrequency of testing processes and limitations of existing infrastructure make it harder to maintain compliance and resilience. Then there’s the incredible rate and volume of changes occurring constantly across complex, multi-vendor, disaggregated networks.
The traditional manual testing approach simply can’t do the job anymore.
An inability to test comprehensively and quickly represents a risk no financial institutions can afford to take, for reasons that range from non-compliance fines and financial loss to rising operational costs and customer dissatisfaction.
An inability to test comprehensively and quickly represents a risk no financial institutions can afford to take…
Evolving testing environments
It’s time for a growing number of financial institutions to evolve their testing environments to align with regulatory requirements and operational resilience improvements.
To meet the rigorous demands of the new operational resilience acts, BFSI institutions should rethink how they approach testing and infrastructure management. The legacy systems and manual processes in place are simply not equipped to handle the scale, complexity, and frequency of testing now required.
The latest testing approaches to address emerging requirements span vulnerability assessments, penetration testing, and scenario-based tests that simulate real-world disruptions. Assets to be tested span hardware, software, data and networks, cybersecurity systems like next-generation firewalls and gateways, backup and recovery systems, and third-party IT systems, networks and services.
Spirent recommends a multi-pronged approach to modernizing testing, focusing on test lab transformation, digital twin implementations, lab and test automation, and continuous testing.
Test lab transformation. Consolidating and centralizing legacy siloed testing environments into unified automated systems reduces replication of equipment and boosts overall efficiency. Test lab transformation has been proven to reduce technical debt by eliminating the need for various isolated lab environments. This decreases costs while allowing global teams to consolidate virtual and physical testing resources in disparate labs and automate testing processes. Ultimately, time spent on manual testing is drastically reduced while accuracy optimizes as teams share resources and streamlined cross-department testing processes.
Digital Twins. Deploying emulated, software-based network replicas makes it possible to create realistic, risk-free testing environments. This capability would be exceedingly difficult and costly in real network environments. For instance, security traffic emulators can provide extensive Layer 4-7 traffic generation supporting realistic high-capacity and stateful network and application traffic and attacks. Attacks can be driven from a global refence library of known attacks, customized to include unknown day-zero attacks, as well as encrypted attacks and evasion techniques for thousands of attack variations.
Lab and test automation. Automating testing process ensures holistic operational resilience assessments are conducted more frequently, at a greater speed, and with a higher degree of realism. Whereas manual testing lacks the efficiency and speed required to stay ahead of disruptions, automated systems streamline alignment with new compliance requirements by conducting tests that were previously too time-consuming or costly to execute.
Continuous testing. Integrating continuous testing (CT) into continuous integration and deployment (CI/CD) pipelines supports resilience strategy modernization by implementing more agile and iterative testing processes, which can better adapt to fast-paced technology and regulatory changes. Spirent Managed Solutions can help financial institution customers automate lab environments and integrate continuous testing, reducing the time needed for resilience testing from months to just weeks, and in some cases days.
Embracing solution components mentioned above, a large financial institution recently worked with Spirent to migrate to automated lab and testing environments, and more efficiently meet biannual compliance deadlines and stringent security standards. Outsourced testing previously cost $10 million annually, with just 10 of 1,800 testing use cases automated. The secure, end-to-end automated environment Spirent provided made it possible to run more complex simulations, improving the overall quality of testing and readiness for real-world scenarios. Annual forecasted savings are more than $20 million with ROI achieved in just 18 months. Learn more in our case study.
New regulatory environments, major leaps in technology, and higher than ever customer expectations are changing how BFSI institutions prep ICT infrastructure. With the right testing strategies in place, the capability is within reach for these companies to operate safer, more resilient, and flexible network infrastructure in unprecedented ways.
Learn more about Spirent’s work in this sector and also download our eBook, A Model for Enterprise Test Lab Transformation.
