The financial sector has to get up to speed with Digital Operational Resilience Act (DORA) regulation or risk potential criminal charges, says AJ Thompson, pictured, the CCO at IT firm Northdoor plc.
The Digital Operational Resilience Act is the latest piece of regulation to be introduced to ensure that businesses in the financial sector are resilient enough to withstand a cyber-attack. Although an EU wide regulation it is still relevant to UK businesses and is likely to be brought into UK law in the near future.
DORA provides a very specific set of criteria and instructions that will shape how organisations in the financial sector manage ICT and cyber risks. The financial sector in particular is under an increasing threat from cyber-criminals. The nature of the data held by businesses in the sector means that it is an incredibly tempting target and any loss of data can be hugely damaging for both organisations and their customers.
The monitoring of this regulation is also likely to be more stringent than others that have been introduced in the past. There is a large emphasis placed on reporting, communication and assessments that will take at regular intervals. This is not to be then a one-time tick-box exercise, but an ongoing process.
Five pillars of DORA
DORA has five core pillars that companies have to be aware of.
•ICT risk management
•ICT-related incident reporting
•Digital operational resilience testing
•ICT third-party risk; and
Whilst all of these elements should be high up on the priority list of any financial sector organisation, this regulation is designed to ensure that companies are constantly checking each of them regularly and reporting back on their effectiveness. Whilst risk management, incident reporting and resilience testing are all important elements for all organisations the two pillars that stand-out is the acknowledgement of the threat from third parties. We have seen cyber-criminals target supply chains to hit organisations, through the ‘back-door’ and the relationship ICT companies have with their clients means that key systems are connected.
The information sharing element is also interesting. Sharing experience and information about cyber threats is increasingly important. Cyber-criminals are constantly changing and increasing the level of sophistication of their attacks. Therefore, organisations in the same sector, securely sharing information about what these approaches look like can only be helpful in keeping the criminal out.
DORA enforceable in 2025 but companies have to act now
DORA came into force at the beginning of 2023 and over the next few months the regulatory and technical standards will be developed by the European Supervisory Authorities (ESA) which draws up warning and recommendations for risk mitigation in the financial sector across Europe and is affiliated with the European Central Bank.
By next year the ESAs will implement the standards and by the beginning of 2025 the DORA requirements will be enforceable with all financial companies expected to be compliant with the regulation by January 2025. Although this seems a long way off, companies need to start to work now in order to ensure that they are ahead of the game. This is after all about ensuring resilience in the face of an increasingly sophisticated threat and so can only be a good thing for the financial sector to ensure the right processes are in place sooner rather than later.
Whilst the enforcement of the regulation seems that it will be proactive, there is still some uncertainty about the penalties of not being compliant, the way that the regulation has been introduced points to some fairly hefty consequences. It has been suggested that a fine will be issued in perhaps equal to one days trading. There is also, unlike some other regulations, a criminal element with charges likely to be brought against companies and individuals who do adhere to the regulation.
This of course takes it to new levels and should act as a real warning to the financial sector to get their house in order or face the most serious of consequences.
How does the financial sector prepare for DORA?
Depending on the size and perceived risk of cyber-crime to the organisation financial companies have between a year and two years to ensure adherence to DORA. Although companies should have many of the elements of already in place, the scope, regularity of scrutiny and the potential results of non-adherence makes the task a daunting one for many, especially for those who have so far been unaware of the impending regulation.
In order to ensure adherence and more importantly the ongoing adherence to the regulation, some are turning IT consultancy and cyber security specialists. Not only does this take the pressure off in-house teams but with partners able to offer whole teams of experts it means that there can be confidence that adherence is achievable.
It is key also to remember that the whole point of DORA is to ensure that financial institutions are able to withstand a cyber-attack or IT incident. Putting in place policies and strategies that ensure adherence will as a result also ensure that companies are better protected from attack and resilient enough to carry on business even if a cyber-criminal gets through.
An IT consultancy can keep a constant eye on the threat landscape as well as any vulnerabilities within systems helping to keep cyber-criminals out, ensure adherence to DORA and helps the financial sector to protect itself from an increasingly sophisticated threat.