Fredrik Forslund, Vice President and General Manager International, Blancco
In January 2025, the Digital Operational Resilience Act (DORA) will come into force. This new European Union (EU) law is aimed at strengthening the cyber resilience of financial services organizations to help prevent any major IT disruptions in the future. Unlike the EU’s GDPR which added new requirements for businesses to ensure sufficient protection of personally identifiable information (PII), DORA focuses on the operational resilience of financial firms specifically, and their ability to withstand, respond to, and recover from cyber-attacks. Additionally, DORA regulates the third-party ICT service providers that financial entities use.
The entire financial services ecosystem will be impacted by DORA. Those that have not implemented the necessary changes to comply with it yet have very little time left to do so and run the risk of being fined up to 2% of their annual revenue. Every new regulation also brings its challenges and considerations for how to manage data and sensitive information. So, what should financial services organizations be paying close attention to both now and in the DORA era?
Straightening up posture
There’s no doubt that the Financial Services industry processes and stores some of the most sensitive information available. As a result, cybersecurity is a huge priority for many in this space. We’ve seen evidence with Mastercard’s acquisition of threat intelligence giant, Recorded Future earlier this year, along with the increasingly complex regulatory environment defining data privacy and security.
Yet one issue that still affects many financial services firms is the amount of data they store. While data is arguably the “lifeblood” of today’s businesses, storing too much of it creates more problems than it solves. It results in a wider attack surface and liability if there is a breach. When we spoke to banking and financial sector organizations around the world, we found that ‘data bloat’ remains a significant problem for the industry and this is only being exacerbated by the growth of the cloud. While starting digital transformation journeys is vital for maintaining a competitive edge, a worrying 67% of financial services professionals see the switch from analog to digital as increasing the amount of redundant, obsolete, or trivial (ROT) data collected.
To address this problem, organizations need to understand and comply with best practices for end-of-life (EOL) data disposal and recognize how this acts a foundational pillar of basic cyber hygiene. For example, it’s crucial organizations classify all data, so they know what data they hold and can determine when it reaches EOL. They also need to ensure this EOL data is properly sanitized and permanently erased – a process that will need to be approached differently in the cloud compared to on-premises. Not following data management best practices will ultimately lead to not only increased cybersecurity risk, but also could jeopardize compliance with GDPR and, in the not-too-distant future, DORA too.
Underlining third party risk
What does this new regulation really mean for organizations struggling with data management? One big focus of DORA is third-party risk and how businesses can control the chain of custody – not simply improving their own resilience but ensuring their supply chain remains secure at all times too.
Whenever a computer, hard-drive, server, or smart phone is changing hands (maybe a company is reselling, donating, or relocating equipment between different people) the chain of custody is not about the value of the asset but the sensitivity of the data that sits on it. In short, DORA will underscore third party risk analysis and interrogate whether financial services organizations are on top of how their IT assets are processed, how this processing is then audited, and who controls it to avoid human error and data loss.
DORA requirements include not just the identification and assessment of critical third-party service providers (assessing their criticality based on their impact on operations and the level of risk they may pose), but also the ongoing monitoring and oversight of these third parties (to ensue they comply with contractual requirements, manage risk and maintain resilience). Part of this will need to involve assessing their data security practices and should also include how they handle the EOL data. This means both erasing data when it reaches EOL, and securely decommissioning old assets that store this data. As part of a “vetting” process, organizations should be checking vendors can:
- Comply with various sanitization standards for EOL processes, including newer standards such as IEEE 2883 and ISO 27040.
- Provide EOL reporting to allow you to understand when and where data is erased.
- Showcase practices are for sending assets outside of the organization for repair, maintenance, and disposition – along with process for how back-ups are maintained and erased.
Auditable and automated
Third-party asset and data management is only one part of the puzzle. DORA also puts extra pressure on financial organizations to audit and automate their own asset management processes as part of the ‘Risk Management’ and ‘Resilience Testing’ regulatory pillars. How they manage assets at EOL needs to be extremely well documented. For example, if an organization has 1,000 laptops that they’re planning to replace, it’s vital to create a detailed report about how and when those devices were properly sanitized. This means there’s no uncertainty on whether there could be a data leak in the case one of those laptops is lost or stolen.
Importantly, this isn’t just a matter for the IT team. Data sanitization is a C-level requirement. While organizations will be utilizing all number of solutions to protect their data, they will need to conclude at some point that this data is beyond retention. There needs to be an understanding around when data reaches end of life, and an automated replacement of assets when this occurs. Technology today allows for financial services firms in London to automate remote sanitization in Singapore, for example. The documents and certificates that make up the supporting audit trail in these situations means the steps taken as part of a firm’s overall cybersecurity policy can never be questioned.
Finally, in the case of resilience testing – a key part of DORA compliance – data sanitization again needs to be considered. Take a test of data-backups as an example. After the exercise, in which data will have travelled from A to B, organizations need to consider their processes for then removing this data. Once again, erasure is vital alongside a verifiable audit trail to prove data management best practice is front of mind.
A lot of companies preparing for DORA haven’t always thought about their data lifecycle. But the reality is that in less than six months, financial services organizations need to be compliant with all five critical pillars of this regulation. Minimizing data bloat internally, along with assessing and interrogating third parties, and relying on automation and auditing will be vital not only for DORA compliance, but also for improving overall security posture in a world defined by data.