By Andrew Carr, Managing Director, Camwood
The financial sector is increasingly looking towards technology as the way to introduce new products and services and achieve competitive differentiation. But this reliance opens up avenues for cyber hackers to exploit weaknesses, and it’s a risk that the World Economic Forum has taken note of. Funding issues, reputational damage and a detrimental impact on other critical services could ensue from a successful attack, and the EU is making moves to counteract the threat.
The Digital Operational Resilience Act (DORA) will be applied on 17th January 2025. It’s a framework that makes prevention the priority, with the IT security of financial entities including banks, insurance companies and investment firms coming under its scope. Primarily applying to EU-based firms, UK organisations that work in EU markets also need to be compliant. With the implementation date nearing, businesses should review their preparations and ensure everything is ready, with a particular focus on their data management processes.
The details behind the regulation
The DORA regulation encompasses several key areas, including ICT-related incident reporting, digital operational resilience testing, ICT risk management and even monitoring of primary third-party providers. It also emphasises information sharing for exchange of data and intelligence around the latest cyber threats. Failure to comply can bring significant consequences. Fines can be up to 2% of total annual turnover or up to 1% of average daily turnover worldwide.
Firms need a strong understanding of their data to meet the criteria, such as timely reporting of cyber incidents and sharing relevant intelligence. For example, there needs to be awareness of where each piece of data is located, who has recently accessed it, the access permissions attached to it and the type of storage being used. For numerous businesses, this information isn’t privy to them. A mixture of data is likely to sit in a complex mix of cloud, on-premise and multi-cloud deployments.
Data in numerous locations
A significant amount of data is hiding in places that financial organisations aren’t aware of. This is not because of any malicious activity, but simply due to natural data sprawl in different hosting solutions over so many years. Multi-cloud has achieved widespread adoption, with nine-in-ten organisations following this strategy according to the Flexera 2024 State of the Cloud Report.
This widespread distribution of data complicates locating specific information for sharing and presents security risks that jeopardise compliance with the DORA regulation. For example, it’s possible to have multiple copies of the same sensitive document stored in different locations. This not only wastes available storage space, but also increases the chances of unauthorised access to the data.
Supplier relationships are another key aspect of the regulation. Strategic partners will likely need access to a specific part of a financial firm’s system, and this data must be readily available, all while ensuring they can’t access other sensitive information. If a supplier fails, is the financial firm able to call on a readily available list of alternative service providers to ensure continuity? Data needs to be organised and in the right place for this to be made a reality.
Organising data
Achieving DORA compliance requires organising data into a manageable structure through several key steps. This starts with a data audit or assessment to identify data locations, storage types, retention periods and last access dates. This process provides a snapshot of the current data situation and highlights any necessary changes or alterations before January.
Next, fragmented data can be relocated from obscure locations to more logical ones and be clearly tagged. This allows users to easily identify data for sharing or reporting purposes. Duplicate documents can be identified and deleted in a move to free up space, reduce storage costs and lower cyber risks.
Finally, access controls and governance can be implemented to ensure that only authorised personnel, whether internal or external, can access specific data. Previously, 73% of leaders and employees have admitted that a lack of trust and data overload has hindered decision-making. With data properly organised, leaders and staff can make informed decisions based on accurate and trusted insights.
Planning ahead
As the financial sector increasingly relies on technology to move ahead with innovation, it must also address the associated risks. With the application date of DORA looming, which has strict requirements including incident reporting, ICT risk management, operational resilience testing and third-party oversight, firms need to tackle their data challenges head-on by assessing their current situation and implementing sufficient data management practices.
Data sprawl is a significant challenge, but detailed audits and structured data management can reduce risks and enhance operational resilience. By identifying where data is sitting, eliminating any duplicates and integrating strict access controls, financial organisations can ensure compliance while simultaneously strengthening their defences against cyber threats.
