All licensees providing internet services must test their systems against security breaches and verify the robustness of the security controls in place each year in June and December. These tests must be conducted by security professionals, such as ethical hackers, that provide penetration testing services and a vulnerability assessment of the system. The tests must be undertaken by external independent auditors or consultants.