By: Andy Norton, European Cyber Risk Officer at Armis
January 2025 marks the EU’s Digital Operational Resilience Act (DORA) deadline. Despite it having been on the regulatory horizon for some time, many financial institutions, burdened by legacy systems and a patchwork of software applications, still find themselves ill-prepared to meet DORA’s stringent requirements.
It’s imperative for financial institutions and critical third parties to assess their cybersecurity posture in what little time is left. And as cyber threats continue to evolve, organisations must prioritise a top-down approach to remain compliant.
The industry’s biggest concern isn’t wilful non-compliance, but the durability of their defences. Are their cyber fortresses built on bedrock or quicksand?
The sands of time are running out
The rise in cyberattacks targeting financial institutions, particularly those originating from third-party vendors and service providers, continues to be a crucial issue. This year alone the likes of Banco Santander, a Spanish multinational bank and the cryptocurrency exchange platform Gemini have fallen victim to third-party breaches, showing how organisations are still reactive with their security posture.
From DORA, the Payment Services Directive 3 (PSD3) and the UK’s recent Cyber Security and Resilience Bill, more and more regulations are being imposed across the board and this approach of ‘reactive firefighting’ will no longer suffice. For many, the increased costs to meet compliance have become a burden, especially as firms need to manage both local and EU frameworks. Moreover, 35% of UK IT leaders within the financial services sector acknowledge that their firms lack sufficient budget allocations for cybersecurity programs. A further 26% report a lack of cybersecurity commitment from their boards to foster a robust cybersecurity culture.
As a result, many firms are either unaware or woefully unprepared and risk severe penalties for non-compliance, including significant financial repercussions that would impact a firm’s bottom line. For example, the Intercontinental Exchange, which owns the New York Stock Exchange, was recently fined $10m for failing to report a cyberattack on its operations, showing the consequences awaiting those who fall short of regulatory expectations.
Adding to this complexity are the difficulties in managing and integrating an array of cybersecurity tools, further highlighted by the challenges of dependency mapping. Most enterprises will have over 130 security tools, yet many of those will be siloed, unable to interact with each other and unable to provide a comprehensive view of the firm’s entire security ecosystem. This lack of visibility can make it difficult to identify and address dependencies, potentially leading to unforeseen risks and breaches.
When you throw AI into the mix, which is now supercharging cyberwarfare to the point where 53% of global IT decision makers are concerned about its impact, firms find their digital sandcastles at risk of collapsing. So, what can be done?
From sandcastles to strongholds
Financial institutions must first and foremost return to the basics – ensuring strong cybersecurity fundamentals. Firms should shore up on the likes of multi-factor authentication (MFA), firewalls, network visibility and regular software updates to help form a strong security foundation. These measures, coupled with regular risk assessments, provide a baseline defence against ever-increasing threats.
Automation is also another crucial element, allowing institutions to efficiently manage the sheer scale and volume of modern threats. Without automation, the manual oversight of tens of thousands of physical and virtual assets becomes impossible. Understanding and managing every device on the network is fundamental. No matter how new or ‘state-of-the-art’ various security tools are, if an organisation cannot see, identify and secure all its assets, the security posture remains weak.
Equally important is adopting a unified approach to security management. Bringing all security tools and processes under a unified management system creates better visibility, faster response times and more streamlined operations.
Once these fundamentals are sorted, the next step is advanced solutions like AI-powered threat intelligence. By using AI, institutions can transition more effectively to a proactive defence strategy, identifying and neutralising threats before they occur. AI-driven tools continuously scan for potential entry points and monitor both surface and dark web activities, enabling real-time threat detection and situational awareness.
Building on solid ground
DORA presents a pivotal moment for the industry as it brings technology, businesses and external partners under direct scrutiny. Yet, it’s not just about ‘meeting’ compliance. It’s about securing the organisation from the rising tide of threats. Firms must take action to solidify this groundwork so that their defences can withstand the new age of compliance and cybersecurity.