Giles Inkson, Director of Services EMEA, NetSPI
With the release of the second, and hopefully final, batch of policy products under DORA, financial institutions face more specific requirements, including ICT incident reporting, threat-led penetration testing, and comprehensive oversight frameworks. These additions underscore the necessity for institutions to not only comply but to integrate these standards into all of their business-wide resilience strategies seamlessly. For CISOs, with the latest DORA guidelines, it can feel like the candle is burning at both ends. Here are my tips on how to implement the latest guidelines with a strategic approach.
Getting to grips with the new standards
The updated guidelines provided by the European Supervisory Authorities (ESAs), focus on enhancing the digital resilience of financial institutions. These standards emphasise the need for robust ICT incident reporting systems, which can quickly detect, manage, and mitigate risks. Furthermore, threat-led penetration testing (TLPT) is highlighted as a key method to proactively identify vulnerabilities within the system, allowing organisations to stay ahead of potential threats.
While compliance is non-negotiable, the approach to implementing these standards should be strategic, pragmatic and continuous. This is not the same as having all things in place for the deadline, but you should be making efforts to be as close as possible, with a full plan for the rest. Not all businesses will have every element fully implemented, but having a strategy to overcome that gap is a core part of the continued compliance cycle of identifying, prioritising and remediating threats to operational resiliency.
Where businesses are underprepared, they must begin identifying a path to mapping gaps. They can begin by conducting gap analysis against key areas of compliance against the core areas of the new requirements. This analysis should then inform the development of a tailored implementation plan that prioritises critical areas first, ensuring that the most significant risks are addressed early in the process.
Your procurement process should have kicked off
For businesses, doing this alone can be daunting. By next month, to ensure a successful implementation of these standards by January 17th, their procurement process should be in full swing for both achieving, and roadmapping the path to ongoing compliance. They need to consider which vendors to work with. NetSPI’s DORA checklist can be a good place to start to help businesses keep track of where they are in their DORA journey.
Incident reporting, threat intelligence and effective penetration testing
An essential part of this plan should involve enhancing incident reporting mechanisms. This includes not only the technical infrastructure needed to detect and report incidents but also the processes and policies that ensure timely and accurate reporting.For threat-led penetration testing, institutions should consider leveraging both internal expertise and external partners. By simulating real-world attack scenarios, these tests can provide valuable insights into potential weaknesses, allowing institutions to reinforce their defences before an actual attack occurs.
Ongoing vulnerability-focussed penetration testing is a core component of overall resiliency, but this is not the same as threat-led penetration testing – businesses will need to do both elements. Businesses need to avoid thinking that having a vulnerability management capability is enough. Organisations need to show evidence of learning, actioning the output,and manual validation and remediation. They must understand the context of how the issues identified are mitigated more widely in the context of their organisation, not just ‘has it been patched’. Threat Led Penetration Testing (TLPT) is a business-wide resilience test, and is closer to what others may call red teaming or scenario based testing, it is complex and can take up to 9 months to procure and deliver end-to-end and requires highly skilled teams to deliver and secrecy throughout.
This can be driven by internal teams for 2 out of 3 years, and your own threat intelligence, as long as you are able to show that the scenarios you complete are accurate and based on real world analysis. It is often more straightforward to get help in understanding this, before you conduct it. 1 year in 3, you may be asked to perform a full TLPT assessment aligned to the TIBER standard (and sometimes others too). This is highly regulated, protected and multistakeholder red teaming at its heart. All TLPT should exercise every control and business process that protects your critical functions as part of a wider system, and be focussed on learning and growth fuelled by pragmatic and open ‘warts and all’ approach. For the TIBER aligned instances, it will involve the regulators and third party teams, for a full adversary simulation exercise that will test the organisation and all of the practices DORA enshrines, so consider practising this in advance on the other years.
Beyond compliance
Implementing these standards will undoubtedly present challenges, particularly for smaller institutions with limited resources. However, by adopting a phased approach and focusing on high-impact areas first, even smaller players can achieve compliance without overextending their resources. Collaboration with external experts and peer institutions can also provide much-needed support and insights during this process.
Fundamentally, the goal of DORA is not just to ensure compliance but to foster a culture of digital resilience within the financial sector. By approaching the latest guidelines with a strategic mindset, organisations can ensure they meet regulatory requirements and also strengthen their overall operational resilience, positioning themselves to better withstand the digital challenges of the future. As the landscape continues to evolve, staying informed and adaptive will be key to thriving under DORA’s framework.