Oct 15, 2024

Leigh Glasper 15 October 2024, 01.56pm In this contributed piece, Leigh Glasper, director of cyber advisory at BlueVoyant , discusses the Digital Operational Resilience Act (DORA) and its impending impact on the financial services industry. In February 2016, it was reported that threat actors exploited vulnerabilities in the SWIFT banking network to steal more than $80 million from the central bank of Bangladesh. SWIFT, the global financial system’s main electronic payment system, which processes billions of dollars of transactions every day, was unprepared for the threat of a major cyber-attack. The incident served as a pivotal wake-up call for the entire financial services industry, highlighting the previously underestimated systemic risks posed by unsecured systems. It reinforced the need for stronger security controls, safeguards and a more proactive approach to cybersecurity across the sector. Today, organisations understand that it’s a matter of when – not if – their organisation or supply chain is targeted with a cyber-attack. Threats continue to increase in sophistication and frequency, particularly when it comes to ransomware. The goal of ransomware attacks is to steal or deny valuable data with the aim to extort organisations to pay to get it back, or stop them from releasing it. The amount of ransom is proportionate to how valuable the data is, and with any industry that handles personal identifiable information (PII), the potential impacts and penalties are very high. It’s why the finance sector is one of the highest profile targets, with individual and business’ account information highly sought after. In part, because of this, the European Union announced the Digital Operational Resilience Act ( DORA ), to help the European financial sector pre-emptively weather-the-storm of severe cyber disruption. What is DORA? The main objective of DORA, which goes into effect on 17 January 2025, is to address cyber-risk management in the financial services sector, and unify the disparate network of regulations that already exist in member states across the EU. This often creates confusion for multinational financial institutions, leading to regulatory gaps, overlaps, and conflicts that increase their vulnerability. Navigating this complex web of rules is critical to safeguarding their operations and ensuring compliance. DORA covers four main areas: Security Risk Management and Governance Incident Response and reporting Third-party risk management The first area, security risk management and governance, is designed to make an organisation’s management team responsible for the security of its systems. The senior leadership team of the organisation is expected to have up-to-date knowledge of the cyber-risk landscape, define necessary risk management strategies, and assist in executing them. Board and executive level members are accountable and can also be held responsible for a failure to comply with DORA. Second, DORA defines what classes as a cyber incident, and whom an organisation should report to in the event of a breach. This is to ensure that financial institutions accurately and quickly report the details of an incident to the correct authorities, and unify this process across EU member states. DORA also enforces that organisations put in place systems for monitoring, managing, logging, classifying and reporting cyber incidents. Third, DORA aims to ensure that financial institutions regularly test their security protocols, and make sure any vulnerabilities are discovered and patched before they can be taken advantage of. This includes carrying out basic tests once a year, such as vulnerability assessments. Organisations that are deemed to play a critical role in the financial ecosystem are also expected to carry out penetration testing once every three years. Finally, financial institutions under DORA are expected to take an active role in managing their third-party cyber risk posture. Threat actors often exploit weaker links within a supply chain, targeting less secure organisations as an entry point. From there, they move laterally, infiltrating larger, more valuable companies, and putting the entire ecosystem at risk. This tactic underscores the importance of fortifying every part of the supply chain. Financial institutions require third parties to provide vital services, which extends the attack surface considerably. DORA mandates that financial firms only work with third parties that can secure their systems, while also preventing over-reliance on a small group of providers for critical functions. Steps to take before DORA becomes law While the specifics of DORA are still being finalised, businesses can take certain steps to prepare for potential compliance requirements. Companies must stay informed of any developments related to DORA and any guidelines or requirements that may be issued. Understanding the implications of the legislation and the steps needed to achieve compliance is the best way to ensure compliance. Another key activity that can be done before January 2025 is to thoroughly assess current resilience capabilities and identify any areas that may need improvement to align with the expected requirements of DORA. Identifying gaps early on and establishing activities to address and mitigate risks will go a long way in preparing for DORA. There are also other frameworks like ISO27001, NIST 2, and CIS18 that can be valuable for organisations looking to enhance their cybersecurity posture and align with the likely requirements in DORA. These frameworks provide a structured approach to information security management, risk assessment, and compliance, helping organisations establish robust security controls and practices. Recommended reading UK businesses aren’t exempt from DORA, either. Although not an EU member state, companies within the UK need to be abreast of how it affects them, particularly if they are engaged with EU entities and customers. The upcoming UK Cyber Security and Resilience Bill, due for release in 2025, will set out the legislative conditions for UK based companies to comply with. Using DORA to help strengthen resilience It is important for organisations not to view DORA as simply a tick-box exercise – it will have wide-ranging operational and security implications for how businesses operate. Instead, it should be seen as an opportunity and revenue-driver, enabling businesses to offer increasingly secure and resilient solutions. This will not only ensure that organisations will avoid being fined for non-compliance, but will also protect critical systems against breaches – and give them an edge over less resilient competitors.