Kanwar Loyal, VP for Northern Europe & MEA – Cato Networks
For decades, the banking and financial sectors have struggled to contend with the increasing number of risks within their industry. The aftermath of the Global Economic Crisis between mid-2007 and early 2009 prompted a series of security initiatives to make banking and financial systems more resilient and robust against the continuously evolving market.
The latest EU regulation implemented to address the issue is the European Union Digital Operational Resilience Act (DORA). The act requires financial entities operating within the EU to ensure they have the necessary safeguards in place to withstand all types of ICT-related disruptions and threats. Organizations within the financial sector will be expected to provide evidence of their strategy to improve resiliency and demonstrate the processes in place by the given January 2025 deadline.
However, for those organizations still dependent on traditional static-based tools and legacy data centers, meeting the deadline for these DORA requirements may prove incredibly challenging, especially for many large financial and banking institutions that remain heavily reliant on traditional IT infrastructures that are too complex to evolve.
Traditional Tools and Technical Debt
The financial sector has struggled to contend with the rapid development of new technologies due to legacy IT infrastructures which has led to an accumulation of technical debt. This commonly happens when organizations incur future expenses due to poor architectural decisions made in the present day. Such decisions can hinder infrastructure modernization, transformation, and agility, making them more vulnerable to cyberattacks.
For instance, many banks are hesitant to patch their systems for online banking due to the fear of taking systems completely offline for a significant period of time. However, this not only opens the possibility of facing substantial fines for failing to provide the necessary services to banking customers but also elevates the exposure to imminent threats.If patching is not conducted to address potential security vulnerabilities within the system, the door is effectively left wide open for cyber criminals to take advantage.
The most recent trend in technology has been the shift towards cloud computing. Traditionally, the banking industry has been hesitant to embrace cloud adoption, primarily driven by concerns about the ability of cloud service providers (CSPs) to meet the compliance standards set by the intricate regulatory framework that rigorously governs the sector, but how can the finance sector overcome this?
Moving Towards the Cloud
In recent years, a gradual shift has taken place in the banking and finance sector towards cloud adoption. This movement has gained momentum, particularly among innovative challenger banks like Monzo, Revolut, and Chime, which have surged in popularity. These banks leverage the cloud, specifically AWS, to deliver efficient services to banking customers.
Cloud adoption offers an array of advantages to the financial and banking sectors including the reduction of costs and increase of operational efficiency. Additionally, CSPs can help the banking sector to address security concerns such as data leakage, which is paramount to the industry. However, the complexity of cloud architecture can be difficult to navigate, especially for financial entities that have a presence in the cloud but continue to utilize traditional tools and legacy data centers. This has created blind spots in the infrastructure where imminent threats are left undetected and are at high risk of being exploited by the adversaries.
Regulators are acknowledging the effectiveness of the cloud as a platform for the financial sector. This parallels the approach taken by organizations in various industries when incorporating customer data into the cloud. However, DORA aims to ensure that adequate controls are in place to minimize the risks associated with cloud usage, thereby mitigating potential impacts on a nation’s economy.
Panic buying
In an effort to enhance cyber resiliency and comply with the impending 2025 DORA deadline, many institutions within the financial sector have resorted to hastily buying software solutions to address gaps in their IT infrastructure. However, these technology purchases often provide only short-term solutions that do not align with the business’s long-term plans.
As an industry, traditional banks are resistant to altering their networks, while others are preparing for a migration to the cloud. This has led to an unnatural collision of two working cultures that must operate efficiently side by side to improve overall cyber resiliency of the sector. Ultimately, the banking and financial industries need to implement a long-term strategy not only to meet the DORA deadline but also to prepare for future compliance regulations and imminent cyberattacks.
The impending DORA deadline is challenging financial entities, compelling security leaders in the industry to rethink their approach to cyber resiliency. Ideally, the sector could benefit from investing in a platform that utilizes new digital transformation to address a traditional problem in a simplified manner.