It is no secret that the financial industry is a serious target for cyber criminals, driving the need for more stringent regulations to help protect these institutions and their employee and customer data.
Recent research undertaken by Security Scorecard indicates that in 2023, 78% of European financial institutions experienced a data breach involving a third party. Also, 84% of financial organisations have been affected by a breach involving a fourth party. Therefore, regulators and authorities are keen to strengthen financial institutions’ defence against cyber-attacks and other Information and Communication Technology (ICT) incidents.
The upcoming Digital Operational Resilience Act (DORA), set to come into effect in January 2025, aims to change the data security regulatory landscape by mandating financial institutions adopt a proactive, multi-layered approach to managing ICT-related risks. The regulation will introduce robust requirements for protection, detection, containment, recovery and repair in the event of cyber incidents or technological disruptions. DORA sets out a series of stringent requirements that financial companies must meet such as risk management, incident reporting, third-party risk management, digital operational resilience testing and threat intelligence sharing, to ensure robust digital resilience.
DORA seeks to drive and harmonise operational resilience improvements across the EU’s 22,000 financial entities. It applies not just to banks, but to credit institutions, payments providers, insurance companies, investment firms, fund managers, pension funds, crypto-asset services, IT third-party services, crowdfunding services, and more. The new regulation will provide the foundation for building financial systems that are agile and prepared for the digital threats of today and tomorrow.
The impact of being non-compliant
Failure to comply with the new regulations could land financial institutions in hot water, resulting in high fines similar to those associated with GDPR. These fines can increase daily until the issue is resolved, hitting organisations hard financially, and also impacting the reputation of the organisation that doesn’t comply with the regulation.
For example, when a cyber incident occurs, organisations will be required to notify authorities and affected parties within a 72-hour window. If they don’t comply, the details of the breach will be made public. As such it is critical that these companies are constantly monitoring their IT environment for possible threats and breaches and are prepared to respond appropriately. To achieve this, they must implement advanced threat detection systems, a robust incident response plan and gain a clear understanding of the vulnerabilities in the organisation’s systems. Without proper monitoring, organisations could be missing key indicators of a breach and may fail to notify the appropriate regulatory bodies on time, which could compound the consequences.
Partnering with experts to design a strong compliance framework
In terms of preparing for these new regulations, every organisation should undergo a comprehensive resilience review and gap analysis. This will assess how prepared the organisation is to handle a cyber incident, and its ability to recover from it swiftly. This is achieved with an in-depth evaluation of key components, which include the current state of security infrastructure, incident response capabilities, and ongoing monitoring efforts.
However, getting to the heart of these requirements while dealing with the day-to-day can be challenging. This is where engaging with independent external specialists and third-party vendors to conduct these critical resilience reviews can really help. Such third parties can help businesses build out a compliance roadmap—a clear plan outlining the steps the organisation must take to achieve and maintain compliance. Such a plan will help to prioritise the projects that will have the greatest impact on improving the organisation’s security posture and minimising risk.
Part of this process involves time management of various compliance projects, as well as prioritising the aspects of cybersecurity that will have the most significant impact. With an expert-led roadmap, organisations can better allocate their resources and ensure that their efforts are directed toward mitigating the most pressing threats.
Incident response strategies and board-level accountability
An essential component of any resilience review is the organisation’s incident response process. A well-written incident response plan is crucial, but equally important is how the organisation responds and conducts thorough ICT exercises to stay prepared. It is critical to examine the existing frameworks and procedures for handling cyber incidents, ensuring that they align with regulatory requirements. This includes determining what infrastructure exists internally for cybersecurity recovery and whether it can support the organisation in the event of a major breach.
Additionally, it is important to establish board-level accountability for cybersecurity, which must be viewed as a core business concern requiring involvement from senior management and the board of directors. Ensuring that the board is fully aware of the risks and has a direct role in overseeing cybersecurity initiatives helps embed a culture of security throughout the organisation.
Ongoing monitoring and lifecycle management
Ongoing monitoring of risk factors is essential to maintaining a strong security posture, and such a programme will also work to the organisation’s advantage against their competitors.
Today cyber threats evolve rapidly, and staying one step ahead requires diligent lifecycle management of IT systems, security protocols, and risk. Organisations must continuously assess where they stand in terms of compliance and risk management, constantly revisiting and refining their processes. Companies need to actively embrace a lifecycle management approach—understand, plan, test, and repeat—to ensure they’re prepared when a cyber incident occurs, but more importantly that they can recover quickly and demonstrate the resilience that regulations such as DORA seek to instil.