Home
BlogContact Us
Solutions  /  Security & Compliance  /  SPK Compliant Penetration Testing
Compliance · Capital Markets

VII-128.10 compliant
SPK penetration testing

Mandatory annual independent penetration testing for capital markets institutions under the Communiqué on Information Systems Management (VII-128.10).

VII-128.10Annual mandate31 Jan reportingIndependent audit
Get a QuoteView Test Scope
Legal Basis
SPK regulatory framework
CommuniquéVII-128.10Information Systems Management
Official Gazette13.03.2025No. 32840
AuditIII-62.2.bIndependent IS audit
Reporting31 JanFollowing-year deadline
01 — Overview

What Is an SPK-Compliant Penetration Test?

The Communiqué on the Procedures and Principles Regarding Information Systems Management (VII-128.10), published by Turkey's Capital Markets Board (SPK) in the Official Gazette on 13 March 2025, requires capital markets institutions to have regular penetration tests performed on their information systems. This communiqué replaced the 2018 Communiqué No. VII-128.9. Senior management is directly responsible for ensuring these tests are carried out periodically.

Under the communiqué, penetration tests must be conducted at least once a year by independent parties that hold national or international penetration-testing certifications and have no responsibility for the institution's information-security compliance; the report must be submitted to the SPK within one month of completion and no later than 31 January of the following year. The Independent Information Systems Audit Communiqué (III-62.2; amended by III-62.2.b on 13 March 2025) sets out the principles of independent information-systems audit.

Regulatory references
  • Communiqué on the Procedures and Principles Regarding Information Systems Management (VII-128.10) — Official Gazette 13 March 2025, No. 32840 (replacing the 2018 VII-128.9); annual periodic penetration-testing obligation
  • Independent Information Systems Audit Communiqué (III-62.2; amended by III-62.2.b on 13 March 2025) — principles of independent information-systems audit
  • Submission of the penetration-test report to the SPK within one month of test completion and no later than 31 January of the following year
02 — In Scope

Who Is Required to Comply?

The communiqué covers most institutions operating in the capital markets:
Brokerage houses and investment firms
Portfolio management companies
Investment trusts and fund institutions
Borsa İstanbul, Takasbank and the Central Securities Depository (MKK)
Crowdfunding platforms and other SPK-licensed institutions
Other entities subject to independent information-systems audit
Scope and testing frequency may vary by institution type and size; for current obligations, refer to the relevant communiqués and SPK announcements.
03 — Technical Scope

SPK Penetration Test Scope

The test scope spans the institution's information systems end to end — from internet-facing assets to the internal network, from applications to identity infrastructure.

Investor Data and Privacy

Verifying that investor identity, account and transaction data are protected against unauthorized access, and that personal-data security is in place.

Trading Platform Security

OWASP-based testing of order-routing, trading and investor-portal applications, including identification of business-logic flaws.

Market Data Integrity

Assessing the integrity of price, order and market-data flows and their resilience against manipulation.

Communiqué Compliance and Reporting

Mapping findings to VII-128.10 and III-62.2 requirements and reporting in a format suitable for submission to the SPK.

Unauthorized Access and Privilege Escalation

Testing authentication, session-management and authorization controls, as well as insider-threat scenarios.

Audit Trail and Logging

Auditing the traceability of critical transactions, log integrity and the logging adequacy needed to support incident response.

04 — Methodology

Testing Process

Our independent penetration-testing process under VII-128.10 spans from scoping to SPK-ready reporting.
1

Scoping and Communiqué Analysis

An information-systems inventory is produced; VII-128.10 obligations and the test scope (external/internal, application, infrastructure) are clarified.

2

External and Internal Penetration Testing

Penetration testing is performed on internet-facing assets and the internal network using unauthenticated and authenticated scenarios.

3

Application and Data Security Testing

Trading platforms, investor portals and APIs are tested, along with the security of market and investor data.

4

Verification and Re-testing

After identified vulnerabilities are remediated, a closing verification (re-test) is performed.

5

Reporting in SPK Format

Findings are mapped to communiqué requirements; the report is delivered in a form that can be submitted to the SPK within one month.

05 — Deliverables

SPK-submittable deliverables

Each test ends with findings, an evidence set and a remediation roadmap in a format ready to submit to the regulator.

Detailed technical penetration-test report mapped to VII-128.10
Executive summary and risk-rating matrix
Prioritized remediation recommendations and re-test results
Compliance and reporting documents suitable for submission to the SPK
06 — FAQ

Your questions

Is SPK penetration testing legally mandatory?
Yes. Under the SPK Communiqué on the Procedures and Principles Regarding Information Systems Management (VII-128.10, Official Gazette 13 March 2025), capital markets institutions in scope are obliged to have regular penetration tests performed on their information systems, and senior management is responsible for this.
How often must penetration testing be performed?
The communiqué requires penetration tests to be performed at least once a year. Additional testing is recommended after significant system or infrastructure changes.
Who is allowed to perform the test?
Testing must be performed by independent parties that hold national or international penetration-testing certifications and have no responsibility for the institution's information-security compliance. Recent regulations may require additional qualifications/licensing of those performing the test; refer to current SPK regulations for the latest requirements.
When is the report submitted to the SPK?
The penetration-test report is submitted to the SPK within one month following completion of the test, and no later than 31 January of the following year.
Which institutions are in scope?
Brokerage houses, investment firms, portfolio management companies and investment trusts, as well as market-infrastructure institutions such as Borsa İstanbul, Takasbank and the MKK, are in scope.
Are there sanctions for institutions that fail to comply?
Yes. In 2025 the SPK imposed administrative fines on brokerages over deficiencies in their 2023 penetration-test reports; fulfilling the obligation fully and on time is critical.
What does the test cover?
External and internal network penetration testing; trading/investor application and API security; authentication and authorization controls; and the integrity of market and investor data are typically in scope.
Contact

Get in Touch for SPK-Compliant Penetration Testing

Meet your VII-128.10 obligations and protect investor and market data.

Get a Quote

Cookie Usage

We use cookies to improve your experience on our website. By continuing, you accept the use of cookies.

Cookie Policy