By Chris Wilkinson, Director, BSS
The clock is ticking for financial organisations to comply with new European Union (EU) legislation designed to bolster the sector’s IT resilience and protect it from the ever-increasing risks of cyber-attacks.
The Digital Operational Resilience Act (DORA) takes effect from January 2025 and acknowledges the pivotal nature of IT systems in modern-day financial systems and services including banks, insurance companies and investment firms.
Formally adopted in November 2022, legislators insisted that the new regulation would ensure the financial sector in Europe is ‘able to stay resilient through a severe operational disruption’.
It’s important to note that prior to the introduction of DORA, much of the legislation surrounding banks and similar institutions revolved around whether they had sufficient capital to cover any financial shock. This legislation goes a step further ensuring safeguards are in place to protect the IT systems that underpin the financial sector.
Speaking at the time, Zbyněk Stanjura, Minister of Finance of Czechia said: “We live in uncertain times. Banks and other companies which provide financial services in Europe already have plans in place for their IT security, but we need to go one step further.
“Thanks to the harmonised legal requirements…our financial sector will be better able to continue to function at all times. If a large-scale attack on the European financial sector is launched, we will be prepared for it,” he said.[1]
More than a year since the legislation was ratified, the financial services sector is still wrestling with how best to make sure they can withstand, respond to — and recover from — ICT-related disruptions and threats. This also applies to critical third parties such as cloud platforms and data analytics services.
Preparing for DORA
The new legislation can be broken into several core pillars that cover areas including risk management, incident reporting, digital operations resilience testing, third-party risk and information sharing.
With such a broad remit, it’s impossible to cover them all in one article. Instead, I want to focus on just one of DORA’s pillars — ICT third-party risk — to explore some of the practical steps companies can take to ensure they don’t fall foul of the new regulations.
While this isn’t exhaustive, in practical terms, financial services companies need to:
Identify and Prioritise: Identify the third parties with the highest potential risk to your organisation’s cybersecurity. Categorise them based on factors such as access to critical systems, sensitive data, or their role in the supply chain.
Define Assessment Criteria: Develop a comprehensive set of assessment criteria tailored to cybersecurity. Include factors such as information security policies, incident response procedures, access controls, network security measures, data encryption practices, and employee awareness and training programmes.
Conduct Due Diligence: Engage third parties in discussions and request releva
nt documentation relating to their cybersecurity practices. Evaluate their security policies, procedures, and technical controls. Consider performing external audits or assessments by qualified professionals to obtain an objective evaluation.
Assess Vulnerability Management: Evaluate the third party’s approach to identifying, prioritising, and remediating vulnerabilities in their systems and applications. Assess their patch management processes, penetration testing, and vulnerability scanning practices to ensure proactive risk mitigation.
Monitor Ongoing Compliance: Implement a robust monitoring mechanism to assess third parties’ continued compliance with security requirements. Regularly review their compliance with contractual obligations, security incident reporting, and adherence to industry standards. Conduct periodic reassessments to ensure ongoing alignment with your organisation’s cybersecurity standards.
CISOs responsible for maintaining the DORA compliance
Without doubt, financial services companies and their suppliers have a huge job ahead of them But, the scale of the task facing financial services is only matched by the fines they face if found to be in breach of the new legislation.
According to reports, businesses can be fined up to €10 million — or 5% of their total annual turnover — whichever is higher.
Which makes it incumbent on those responsible for meeting DORA compliance — including Chief Information Security Officers (CISOs) among others — to get it right. The problem is, with a year to go, time is running out.
[1] https://www.consilium.europa.eu/en/press/press-releases/2022/11/28/digital-finance-council-adopts-digital-operational-resilience-act/