Shilpa Doreswamy, Retail Banking Sector Director at GFT
AI-driven cyberattacks are accelerating globally, with 87% of organisations affected in the past year. Financial services and fintech firms remain as the top targets. As a result of the rise in cyberattacks, banks are likely to experience outages and downtime, which can have severe repercussions and cause financial and reputational damage. For example, over the past two years, major UK banks and building societies have experienced more than one month’s worth of IT failures collectively. Barclays alone expects to pay between £5m and £7.5m in compensation to customers for “inconvenience or distress”.
To prevent IT outages within financial institutions, the EU’s Digital Operational Resilience Act (DORA) entered into force on 16th January 2023, and the compliance requirements are now taking effect as of 17th January 2025. The act provides an intricate framework of regulatory requirements that financial institutions must follow to strengthen their digital resilience and ensure continuity of services during disruptions. For UK financial firms operating in the EU, they are required to strategically plan and bolster security measures to meet DORA’s stricter resilience requirements, which focus on IT risk management, incident reporting, operational resilience testing and third-party risk management.
Acknowledging the rising threat of sophisticated cyberattacks on financial institutions, DORA places a high emphasis on cybersecurity as a cornerstone of operational resilience. As financial institutions become increasingly reliant on cloud-based services, big data and artificial intelligence, the risk landscape becomes all the more lucrative, necessitating stronger cybersecurity measures.
AI is accelerating the scale and complexity of cyberattacks
The financial services sector is experiencing increased digitisation. And whilst digital transformation comes with huge benefits, including improved agility, new product offerings and enhanced customer service, potential risks shouldn’t be overlooked. Banks’ increasing reliance on data raises cybersecurity concerns. Moving to the cloud and adopting AI-powered analytics means banks are handling vast amounts of sensitive customer information. So, whilst the level of personalisation enabled by AI in banking has enormous potential, it also faces resistance from some consumers concerned about data protection.
Additionally, the increasing use of AI provides malicious actors with many opportunities. AI is now being used by cybercriminals to conduct faster and more advanced attacks which have greater consequences and are harder to detect. Hackers have a wide range of AI tools at their disposal to create convincing phishing emails, fake websites, impersonate banks’ customers, or inject malicious prompts or code into financial institutions’ IT systems. In fact, research from McKinsey & Company shows that there has been a 1,200% surge in phishing attacks since the rise of generative AI in late 2022. What’s more, with machine learning, bad actors can now analyse an organisation’s defences in real time to identify and exploit vulnerabilities. What once took hours or days to execute can now be done in seconds and at scale, with great precision.
The implications of DORA for organisations
Despite growing awareness of the importance of cybersecurity to combat increasingly complex cyber threats, many organisations are still struggling to maintain adequate cybersecurity defences. DORA makes it crucial for businesses in the financial services sector to upgrade their cybersecurity. The aim for organisations is to be able to adapt to new risks by automatically identifying potential vulnerabilities before they are exploited. So, under DORA, operational resilience goes beyond disaster recovery. It’s now about an institution’s ability to adapt and respond to prolonged disruptions, whether from cyberattacks, pandemics or geopolitical events. As such, compliance with DORA requires financial institutions to maintain business continuity and business recovery plans (BCPs) that are regularly tested and updated to meet new and evolving threats. Financial institutions need to ensure that their operational resilience strategies are fully integrated across all levels of the organisation.
Another important requirement of DORA is the management of third-party risk, given the heavy reliance of financial institutions on external vendors for critical services such as cloud computing, payment processing and data analytics. The risks associated with these third parties, particularly in relation to cybersecurity and service continuity, can be substantial as exemplified by the various cyber breaches against banks and financial institutions. More often than not, such breaches are borne out of exploiting vulnerabilities in the security postures of a third-party provider.
Zero Trust as the key solution
As fraud becomes more sophisticated, financial institutions must evolve their security strategies, and Zero Trust architecture offers a robust framework for doing so. ‘Zero trust’ refers to the principle according to which every request to access an organisation’s system should be carefully reviewed. This means that no user or system is trusted by default. They’re all subject to identification and authentication checks. This helps set clear boundaries between the applications the users are accessing and the resources available. And even after access has been granted, all activity is monitored on an-ongoing basis to identify potential malicious behaviour that could compromise digital banking systems. This continuous verification enhances visibility into potential threats and facilitates compliance with regulatory standards.
Building compliance and resilience through Zero Trust
With DORA now in force, financial institutions are under growing pressure to demonstrate they can manage operational and cyber risks, not just on paper, but in practice. And as AI-powered cyberattacks grow in speed and sophistication, traditional defence strategies are falling behind.
Zero Trust provides a powerful, actionable framework for aligning with DORA’s cybersecurity and resilience requirements. By enforcing strict access controls and continuous verification, it ensures robust defences across systems and third-party integrations.
To further reinforce security, mutual transport layer security (TLS) can be implemented as a core design principle, enabling secure authentication with third-party entities over the internet. By adopting such measures, digital banks can build a resilient security foundation that safeguards against evolving threats whilst preserving customer trust and operational integrity.
