By Darren Thomson, Field CTO EMEAI at Commvault
Given the complexity and interconnected nature of the financial services ecosystem, it’s hardly surprising that operational resilience remains under regulatory scrutiny and review. The consequences of isolated or systemic disruption to services, particularly due to cyberattacks, could be catastrophic, and authorities are quite rightly focused on both prevention and mitigation.
One of the consequences of these challenges is that from January 17th of next year, the EU’s Digital Operational Resilience Act (DORA) will come into force. Oversight activities begin and there are harsh financial penalties for non-compliance. The objective behind DORA is to strengthen “the IT security of financial entities such as banks, insurance companies and investment firms and making sure that the financial sector in Europe is able to stay resilient in the event of a severe operational disruption.”
On a practical level, it will harmonise the operational resilience rules across 20 different types of financial entities and ICT third-party service providers. These include the likes of credit and payment institutions, investment firms, crypto-asset services providers, organisations in the insurance and retirement sectors, and even crowdfunding services, among others.
The regulations require organisations to focus on a range of key areas. These range from ICT risk management (including third-party providers), digital operational resilience testing and incident reporting, to information sharing and the implementation of an oversight framework for critical third-party ICT providers. As such, they have the potential to have far-reaching consequences for financial entities and ICT providers who operate without the proper processes or controls in place.
As an EU law, DORA will not apply directly in the UK, but – in a similar way to GDPR – it is relevant to many UK-based financial entities or ICT providers that supply services to organisations in the EU. They need to abide by its rules, with violations potentially leading to penalties of up to 2% of total worldwide annual revenue, depending on the severity of each case. If GDPR enforcement is anything to go by, EU regulators are fully focused on the rules, with over €4 billion levied on organisations in breach of GDPR since 2018.
Planning for compliance
So, less than a year out from oversight activities commencing, what steps can organisations take to ensure they are compliant? There are five useful foundational points:
- Form cross-department teams to coordinate an organisational approach. By bringing together leaders, experts, and stakeholders from areas such as IT, cybersecurity, compliance, risk, and legal, it becomes much easier to ensure the levels of collaboration that are essential for successful strategy development. Crucially, this approach also helps ensure that organisations can develop a comprehensive understanding of how DORA applies to them from a range of important perspectives.
- Push hard for leadership buy-in. Cross department cooperation will also help uncover important and nuanced details contained within DORA. For instance, how many leaders will already know that the Board of Directors and CEO must possess the knowledge and skills to understand ICT risk and its impact? In an ideal world, therefore, senior management will understand and support the relevance and importance of DORA well before January 2025. Doing so can make a huge difference to the levels of authority, resources, and urgency that can be applied. Conversely, organisations that limit the scope of their efforts are much more likely to experience a compliance breach and the potentially severe penalties that could apply.
- Assess current processes, capabilities, and potential vulnerabilities. It’s crucial that any gaps between current security and resilience capabilities and the requirements set out by DORA are identified early. Any shortfalls can then be proactively addressed in a timely manner instead of as a reaction to a compliance breach.
- Update and establish clear resilience objectives. At the heart of any effective security and resilience strategy are clear and actionable objectives. DORA will bring the efficacy of these into sharp focus and push organisations to keep them under continual review. This will also allow teams to prioritise compliance activities and ensure that cybersecurity and resilience investment aligns with DORA at the earliest opportunity.
- Monitor and act on regulatory updates. Over time, it’s likely that EU authorities will amend DORA to ensure it remains fully relevant to the dynamic ecosystem it’s designed to protect. This means that organisations should establish a process to ensure they remain abreast of any developments that could impact their compliance levels. This should be supported by processes that refocus on gap analysis, prioritisation, and investment to form a virtuous circle where compliance always remains front of mind.
In an environment where regulations play an increasing role in determining the direction of cybersecurity strategy, it’s vital that organisations hone their approach to compliance in general. Doing so opens up the prospect of a win-win whereby digital security and resilience are given the emphasis they deserve, and fewer organisations fall victim to serious breaches. What’s almost certain, however, is that at some point in 2025 the first DORA-related enforcement action will be announced. Organisations that prepare now can minimise their chances of making the wrong kind of headlines.
