The regulatory landscape is tightening for European banking, financial, and insurance institutions, writes Nick Hogg, Director of Training at Fortra, which offers data protection services.
Besides adhering to various local and global legislations, these organisations must prove compliance with the Digital Operational Resilience Act (DORA) by January 17, 2025. DORA “sets uniform requirements for the security of network and information systems of companies and organisations operating in the financial sector as well as critical third parties which provide ICT (Information Communication Technologies)-related services to them, such as cloud platforms or data analytics services.”
This deadline will occur almost a year after the due date for PCI DSS 4.0 compliance, and serves as a reminder that as the threat landscape evolves, so does the legislative one. Although financial institutions are accustomed to operating in a highly regulated environment, these changes pose specific challenges.
How can financial organisations align projects to comply with all these laws?
Both DORA and PCI DSS 4.0 present excellent opportunities for financial organisations to re-evaluate their procedures for all compliance legislation and security requirements. Most financial services organisations, already have many of the building blocks required to comply with DORA, but some of those may have been put in place a few years ago. DORA acts as the stimulus to perform a fresh review of all the systems, processes, and training to evaluate if they are still relevant.
This is essential because, looking at some of the DORA compliance requirements, it is easy to understand that there is an overlap with similar conditions in GDPR. For example, DORA mandates the conduct of risk assessments when there is a significant change within the business network. At the same time, under GDPR, organisations must undergo a Data Protection Impact Assessment (DPIA) when implementing new projects.
Besides the overlaps, financial organisations can identify gaps or processes that need amendment. To do so, they need to assess and understand the current state of play. They can then introduce new processes, systems, or training to fill the identified gaps and build more resilience into their ecosystem.
With two years to prove compliance, there’s a danger that organisations may think there is plenty of time. However, they should view the period until January 2025 as an opportunity to take a fresh look at where their data is and map out the tasks they do to understand why they do them and if they are still required.
With all these regulations being updated and enforced, they serve as a mandate to take another look at security postures, and engage the executives to support ongoing compliance and security projects. This is important because being resilient and compliant raises an organisation’s status in a highly competitive market.
What can financial institutions do to lessen the burden of being compliant while doing business as usual? Entities that fall under the DORA requirements may consider following certain best practices to protect themselves from everyday cyber threats while building up their compliance.
Scoping and identifying overlap
The first step is identifying the risks faced and establishing the appetite for risk. Once these have been identified, organisations can then look at their existing policies, processes and defences to understand where existing elements can be reused or adapted to reduce the burden on the business. These steps will assist with prioritising projects and spending to ensure efficient use of resources.
Understand your environment
Having clear and consistent visibility into your infrastructure, whether on-premises or in the cloud, is essential to understanding whether something is at risk or poses a threat. Vulnerability scans, penetration testing and red team exercises are tools and techniques that help businesses identify those gaps that can be improved. Companies can increase the frequency of these scans and use automation to run them on a repeatable basis without impacting the teams involved. This increased visibility can help a company to respond to the small changes and risks more swiftly.
Understand the changes
Finally, it is not enough to only think about external attackers. Financial organisations must also account for the internal changes that may cause a system to break or halt. Configuration change management and file integrity monitoring can help to reveal exactly what has changed, when, and who has made the change to avoid mistakes from crippling an entire organisation, as was the case with the recent FAA blackout in the US.
Automation
The first step is understanding what these entities need to do to remain secure and compliant. Once this is complete, they should start automating repetitive and complex security tasks and processes. Many security tasks can be automated, and if organisations can accomplish automation for as few as 20 per cent of those tasks, they can better allocate budget, time, and resources to prepare for DORA compliance and ensure everything falls into place.
Business continuity and resilience
While prevention is an essential strategy, organisations cannot stop 100 per cent of compromises. They need to be prepared for when something slips through the cracks of security controls. The critical question is how financial organisations prepare for such an event. All the regulatory frameworks recognise that organisations will eventually experience some compromise or downtime. It is, therefore, essential to how quickly businesses get back on their feet. Resilience, after all, is not only to withstand an attack but to recover from the attack promptly and efficiently. Hence, balancing prevention with the response is a mature approach to security and compliance.
Information sharing
Information sharing can become an effective strategy for limiting the burden of identifying threats. The lessons learned by other companies in the sector can help financial organisations to be better prepared. For example, they may alter the blocking rules in the email security platform or amend their preventive controls to match the evolving landscape. Either way, information sharing is valuable threat intelligence that needs to be leveraged to minimise the ongoing impact on the security and compliance teams.
A prioritised list of actions for quick wins
The following actions could earn financial organisations some quick wins on their path to DORA compliance.
Realise the status
The first step is understanding what they need to do, the current state of play, and what projects are running. Based on this picture, they can then begin implementing their plans. However, it is essential to realise that the flick of a switch cannot achieve compliance. Compliance, like security, will always be ongoing.
Treat internal and supply-chain risks
The second item on the list is to mitigate the threats to infrastructure and software that might damage resilience. Although external attacks are the obvious part of the equation, businesses should not underestimate the mistakes that employees can make. A simple inattentive moment can result in an employee clicking on a malicious link, or opening an infected attachment. The best way to prevent this is to make security a constant presence, both technically, and logically. Technical data loss prevention tools, as well as security awareness training can augment existing controls.
Another necessary component for mitigating these threats is focusing on the third-party supply chain, which is also a critical ingredient of DORA compliance. Businesses must get visibility into the risks from suppliers and partners, especially those from software or applications. This is best achieved with careful review to make sure that these external parties meet the standards of the hosting organisation.
Discover hidden vulnerabilities
Financial organisations must invest in vulnerability scans and pen testing to ensure ongoing compliance and solid risk management. Both are valuable tools because they give a complete understanding of the posture and the gaps. They provide valuable insights and information that security teams can leverage to strengthen compliance security and get buy-in from the executives to allocate budget and resources to implement projects. The data from these scans and tests can also become instruments to help re-prioritise tasks and projects because they provide a more representative glimpse of what could happen if an attacker exploits these risks. Pen tests and vulnerability scans can determine the real-world impacts that may not be realised in a risk assessment.
Partner with a managed service provider
Another important consideration is evaluating whether a financial organisation has the capacity to become compliant, or needs to hire additional resources. Buying the tools required for security and compliance is just one step. Organisations also need to consider the administration and management that will result from these additional resources. Hiring security professionals to build a security team is hard, and organisations must provide training to retain them. This is the best time for financial companies to consider managed security services, like detection and response, or data loss prevention. A managed service provider greatly extends the existing security team and is a cost-effective approach to security and compliance.
Train your employees
Financial organisations must also focus on training their employees about security awareness. Training must be as up-to-date and effective as possible. A good strategy is to focus on one topic a month, and avoid overloading people with acronyms and technical jargon. The content must be relative to the employees’ day-to-day operations and provide the context required to understand why a lack of security can cause a massive problem for an organisation.
Build additional layers of defence
Training is enormously effective, however, businesses need additional layers of defence to fortify themselves against evolving threats. These technology layers can help detect phishing emails, ransomware, and malware, and prevent an attack from crippling the infrastructure, or the ability to do business.
DORA compliance is a strategic advantage
Being DORA compliant is a strategic advantage in a highly competitive world. While two years might feel a long way off, the date for compliance with DORA will come round quickly, and companies should begin their journey today. As there is much overlap with other regulations, these institutions can orchestrate their daily activities and projects to maintain compliance and security. Taking this approach indicates that your organisation respects your customers’ needs, and provides them with the safest environments possible.
