The financial services industry is a significant target for threat actors regardless of their motivation. Integral to the economy, financial institutions are the gatekeepers of our money transmission system. This makes them an attractive target for those who wish to make criminal gains, obtain intellectual property, or disrupt the fabric of society for ideological or geopolitical reasons.
The financial services industry is a leader in the use of technology, resulting in the rapid expansion of an already significant attack surface. One that now goes beyond traditional infrastructure, extending into a complex supply chain and ultimately because of liability, now includes their customers.
To address these challenges and ensure the resilience of the financial sector, the European Union (EU) has introduced the Digital Operational Resilience Act (DORA). DORA regulation aims to create an EU-wide regulatory framework that ensures financial institutions are prepared for and can withstand digital disruptions. Encompassing banks, insurance companies, investment firms, or any other entity within the financial ecosystem, understanding and complying with DORA is crucial.
What is the DORA Regulation?
DORA, officially known as Regulation (EU) 2022/2554 on digital operational resilience for the financial sector, was adopted by the European Parliament on December 14, 2022. It is part of a broader legislative package known as the Digital Finance Package, which includes regulations aimed at enhancing the digital transformation of the financial sector while ensuring its stability and security.
DORA is primarily intended to ensure that financial institutions have robust digital operational resilience, meaning they can prevent, withstand, and recover from all types of ICT (Information and Communication Technology) disruptions and threats. This regulation is a response to the growing dependency of financial services on digital processes and the increasing threats posed by cyberattacks, system failures, and other IT-related incidents.
The regulation applies to entities that undertake any of the broad range of financial market activities captured by the Act within the EU, so-called “Critical ICT Third Party Providers” (CTTPS) to Europe’s financial firms will be subject to DORA’s requirements as well.
DORA regulation also applies to financial institutions that operate in the EU, regardless of where they’re based. The UK is also expected to mirror DORA, with new provisions building upon existing operational resilience frameworks such as FCA PS21/3. Further afield, the U.S. Securities and Exchange Commission’s (SEC) cybersecurity rules also make requirements of firms that overlap with key elements of DORA.
DORA: The Key Components
DORA is comprehensive but can be distilled down to five key components that aim to increase the digital resilience of financial institutions.
- ICT Risk Management: DORA mandates that financial institutions must implement robust ICT risk management frameworks. These frameworks should be proportionate to the nature, scale, and complexity of their business operations. This includes identifying, assessing, and mitigating ICT risks, as well as maintaining effective internal controls.
- Incident Reporting: Financial institutions are required to report significant ICT-related incidents to the relevant competent authorities. This is to ensure that regulators have visibility into the operational challenges faced by the financial sector and can take necessary actions to mitigate systemic risks.
- Digital Operational Resilience Testing: DORA introduces the requirement for regular testing of digital operational resilience. This includes conducting threat-led penetration testing (TLPT) at least every three years to assess the effectiveness of ICT controls and the ability to withstand sophisticated cyberattacks.
- Third-Party Risk Management: Financial institutions must manage risks associated with their ICT third-party providers. This includes conducting due diligence, monitoring the performance of third-party services, and ensuring that contracts allow for effective oversight and control.
- Information Sharing: DORA encourages financial institutions to share information on cyber threats and incidents with each other, fostering a collaborative approach to managing ICT risks. This is intended to enhance collective resilience across the financial sector
Five things you should do to comply with DORA
Organizations that fail to comply with the provisions outlined in the DORA regulation will be liable for a significant fine of up to 1% of the annual worldwide turnover of the company per day, until compliance is achieved, for up to 6 months.
By way of example, if a financial institution with a revenue of $49.6 billion in 2021 fell foul of the new legislation, the fine would be more than $135 million per day. If the breach continued for 6 months the financial institution could be looking at a total fine of $24.8 billion.
With DORA’s operational mandates becoming effective on January 17, 2025, firms have roughly 4 months to achieve compliance.
Here are the top 5 things that should be on your DORA checklist:
- Develop a Comprehensive ICT Risk Management Framework
The starting point for DORA compliance must be a well-structured ICT risk management framework. This framework should encompass hardware and software, data management and cyber defenses.
At a minimum, you should seek to address:
Risk Identification and Assessment: Begin by identifying all potential ICT risks, including cyber threats, data breaches, system failures, and operational disruptions. The risks you identify should be assessed for likelihood and impact.
Risk Mitigation and Controls: You should set out to implement appropriate controls to mitigate (or preferably eliminate) the identified risks. This could involve deploying advanced cybersecurity tools, enhancing data encryption, or upgrading IT infrastructure.
Governance: You should have a clear governance structure that defines roles and responsibilities for managing ICT risks. Senior management and the board of directors must be actively involved in, and accountable for ICT risk management.
- Establish Robust Incident Reporting Protocols
If the worst should happen, DORA creates an expectation that financial institutions will report “significant” incidents.
To comply with this requirement:
Define What Constitutes a Significant Incident: Develop criteria for what qualifies as a significant incident that must be reported. This could include data breaches, prolonged system outages, or cyberattacks that affect critical business functions
Create an Incident Response Plan: Establish a detailed incident response plan that outlines the steps to be taken when an incident occurs. This should include communication protocols, escalation procedures, and timelines for reporting to authorities.
Regular Training: Conduct regular training sessions for employees to ensure they are aware of the incident reporting protocols and know how to recognize and respond to ICT incidents.
- Conduct Regular Digital Operational Resilience Testing
It is not enough to have policies and procedures gathering dust somewhere; to demonstrate resilience you need to undertake regular testing.
To comply with DORA regulation, you should be:
Threat-Led Penetration Testing (TLPT): You should consider engaging external experts to conduct TLPT exercises, simulating real-world cyberattacks on your systems. This will help identify vulnerabilities and assess the effectiveness of your ICT controls.
Scenario-Based Testing: Develop and test various scenarios that could impact your digital operations, such as a ransomware attack, a major system failure or, for that matter, a concerted disinformation campaign. This will allow you to evaluate your response capabilities and refine your contingency plans.
Continuous Improvement: You should use the insights gained from testing to continuously improve your ICT infrastructure and operational resilience. Leverage the findings to promptly address any weaknesses identified during testing.
- Strengthen Third-Party Risk Management
Financial institutions often rely on third-party providers for critical ICT services. DORA places significant emphasis on managing these relationships effectively:
Due Diligence: Conduct thorough due diligence on all third-party providers evaluating their cybersecurity measures, track record, and compliance with relevant regulations.
Contractual Safeguards: Ensure that contracts with third-party providers include provisions that allow for effective oversight, such as audit rights, regular reporting, and the ability to terminate the contract if the provider fails to meet standards.
Continuous Monitoring: Implement ongoing monitoring of third-party services to ensure they continue to meet your security and resilience requirements. This could include regular reviews, audits, and performance assessments.
- Foster a Culture of Information Sharing and Collaboration
DORA encourages information sharing among financial institutions to enhance collective resilience. You should seek to achieve collective security in collaboration with your peers, working together to defend against cyber threats:
Join Industry Forums: Staying abreast of best practices and having timely insights about emerging threats are key to success.
National Cyber Security Centres: Build a relationship with your Cybersecurity National Coordination Centre.
Collaborate on Incident Response: Develop partnerships with other financial institutions to collaborate on incident response efforts. Sharing information during an incident can help mitigate its impact and prevent it from spreading to other organizations.
Contribute to Sector-Wide Initiatives: Support and contribute to sector-wide initiatives aimed at improving digital operational resilience. This could involve participating in joint exercises, sharing anonymised incident data, or contributing to research and development efforts.
Firms with a fund management focus should also consider referring to the support material provided by The Alternative Investment Management Association (AIMA). Organizations with a broader market presence might wish to consider guidance from The European Securities and Markets Authority (ESMA).
Wrapping up
The DORA regulation empowers cybersecurity professionals to make a robust business case for digital operational resilience. Complying with DORA isn’t merely about avoiding fines or meeting regulatory requirements, it’s about safeguarding your business, protecting your customers, and contributing to the stability of the financial system.
Businesses that set out to predict, pre-empt and block threats before they have an operational impact will succeed in meeting the expectations of DORA.
Given the diverse motivations of threat actors, it is not a question of if, but when.
