Transforming Cybersecurity in Finance: Preparing for DORA

A plethora of new cybersecurity regulations have been enacted in the EU, impacting organisations across member states and those outside the region who do business within the region.

One of these laws is the Digital Operational Resilience Act (DORA), passed by the EU in January 2023 it will be enforceable as of 16 January, 2025. This legislation applies to organisations in the critical financial sector, including banks, insurance and investment companies.

Additionally, the requirements apply to third-party IT providers to the financial industry.

DORA’s primary focus is to enhance cyber resilience in the financial sector, reducing the prevalence and impact of critical disruptions from cyber events.

As with other recent EU cybersecurity legislation, like the Network and Information Systems (NIS2) directive, DORA carries powers to impose for severe penalties for non-compliance.

Financial penalties for non-compliance of DORA include fines of up to 2% of global annual turnover and the potential of fines of over €1m for individual senior leadership.

Therefore, it is vital that financial institutions have strategies in place to comply with the new measures ahead of the January 2025 deadline.

DORA will take precedence over any other EU cybersecurity law for those organisations it applies to. This means financial entities will generally be subject to stronger cybersecurity requirements than other sectors in the region.

This highlights the critical nature of the financial sector and the enormous global damage that could be cause caused by attacks on the IT systems financial organisations use as part of their day-to-day operations.

In October 2023, insurance giant Lloyd’s of London published a systemic risk scenario of a cyber-attack on a major financial services payment system, which it calculated could result in global economic losses of $3.5trn.

The finance sector is a target for both financially-motivated cybercriminals and nation-state actors alike due to the critical data and services it provides.

Speaking during a recent Infosecurity Magazine webinar, Toby Sibley, Security Expert at PA Consulting, said that cyber risks to the financial industry have been “turbocharged” by rising geopolitical instability.

This includes nation states like Russia giving free reign to ransomware groups that operate within their borders.

“Increasingly the brakes are being taken off and that means a swathe of organisations now are fair game, including critical infrastructure in the financial sector,” said Sibley.

Sibley explained that DORA is a harmonization effort, building a joined-up approach to operational resilience in finance in the EU where there is currently a patchwork of laws.

DORA has five pillars to boost cyber resiliency in the finance sector, requiring covered entities to develop robust strategies in each area.

IT Risk Management 

Board members and other senior business leaders are expected to define appropriate risk management strategies and actively assist in executing them. This involves continuously mapping their ICT systems and documenting dependencies between assets, systems, processes and providers.

Additionally, entities will need to establish business continuity and disaster recovery plans for various cyber risk scenarios, such as ICT service failures, natural disasters and cyber-attacks.

Incident Reporting 

Incident reporting requirements are particularly stringent under DORA, with organizations required to provide initial notification to the relevant authorities just four hours after determining the incident is major. Any event, major or less severe, is to be reported within 24 hours of detecting the incident.

Covered entities must establish systems for monitoring, managing, logging, classifying and reporting ICT-related incidents as part of this process.

Operational Resilience Testing 

Organisations must test their ICT systems regularly to evaluate the strength of their protections and identify ‌vulnerabilities. Reports detailing the results of these tests and plans for addressing any weaknesses found must be submitted to relevant competent authorities. Entities are required to carry out basic tests, like vulnerability assessments and scenario-based testing, once a year.

Third-Party Risk Management

Financial firms will be made liable for third party security. Under DORA, entities must negotiate specific contractual arrangements in areas like exit strategies, audits and performance targets for accessibility, integrity and security with third-party ICT providers.

Organisations will not be allowed to contract with ICT providers who cannot meet these requirements. Additionally, financial institutions will need to map their third-party ICT dependencies and ensure their critical and important functions are not concentrated with a single provider or small group of providers.

Information Sharing 

The law will force financial organisations to establish processes for learning from both internal and external ICT-related incidents. To assist with this requirement, DORA encourages covered entities to participate in voluntary threat intelligence sharing arrangements.

This includes encouraging the creation of mechanisms for sharing cyber threat intelligence and development of trusted relationships with peers and partners. Financial firms are recommended to leverage the TIBER-EU Framework to enact red team testing and work with peers to improve collective cyber resilience.

DORA is one of a series of new cybersecurity legislation passed in the EU, primarily to reduce the risk of cyber events that prevent critical services from running.

This includes the financial sector, which provides the foundation of the global economy. The DORA legislation places significant new cybersecurity obligations on organisations operating in this industry, and compliance will be challenging, with substantial overlap with other regulations.

Collaboration will be key to ensure financial firms comply with DORA, between individual companies and suppliers also across the wider sector, putting aside commercial rivalries.

Hopefully it is an approach that will take hold more broadly, as organisations of all types and sizes grapple with increasing and more sophisticated attacks. 

ADVERTISEMENT

Enjoyed this article? Make sure to share it!

Looking for something else?