We speak to Dan Morgan, Senior Government Affairs Director for Europe & APAC at SecurityScorecard, on why financial institutions face an uphill battle to comply with the Digital Operational Resilience Act (DORA) – an EU law related to the cybersecurity of the financial services sector.
The act, introduced in January 2023, comes after 78% of Europe’s largest financial institutions experienced a third-party breach in the past year.
What is the Digital Operational Resilience Act (DORA)?
In January 2023, a landmark law in the European Union (EU) related to the cybersecurity of the financial services sector entered into force.
The Digital Operational Resilience Act (DORA) will soon require banks, other financial entities, and some ICT third-party providers in the EU to implement a series of cybersecurity-related measures intended to protect consumers and shore up the EU’s financial system against systemic risks arising from the central role that information and communication technologies (ICT) play in the provision of financial services.
Which organisations will be affected by DORA?
The cybersecurity firm SecurityScorecard has released a new report, “DORA and Cyber Risk: A New Framework for Third-Party Risk in the European Union.”
The report analysed the cybersecurity profiles of the largest 240 financial institutions, including their third- and fourth-party vendor operations in the EU in 2023.
The top 240 were determined by current revenue, assets under management, or gross written premium, and included: Asset Management; Private Equity, Retail Banks, as well as Insurance and Pension Funds.
What will DORA require?
Managing third-party risk is a key part of DORA and the EU’s approach to cyber risk more broadly. DORA will require financial entities to identify and assess all third-party risks.
This includes threats to the confidentiality, integrity, and availability of data and systems, as well as risks to the financial entity's ability to continue operating in the event of a third-party incident.
How can organisations gain greater visibility into their vendor ecosystems?
The report found that 78% of financial institutions have experienced a third-party data breach in the past year.
Additionally, 82% of retail banks experienced a third-party breach in the last year, and 8% suffered from a breach in their own domain.
In the wake of high-profile attacks like MOVEit and SolarWinds, cybersecurity regulations are sounding the alarm for more comprehensive approaches to managing vendor risk and ensuring greater compliance.
And considering the growing threat landscape, businesses are increasingly supportive of regulations to address and mitigate these risks.
The report also found that 84% of financial institutions have been exposed to a fourth-party breach.
This illustrates the vast web of largely unseen risks that are hiding in plain sight. Visibility across the entire third-and fourth-party ecosystem is mission-critical, yet most organisations seem to lack consensus on how to measure and track fourth-party risk.
Furthermore, 18% of financial institutions studied had a cybersecurity ‘C’ rating or below, which makes them four to seven times more likely to suffer a breach than those with an ‘A’ rating.
There are seven factors that can predict a cybersecurity breach, including: endpoint security; patching cadence; ransomware score; DNS health; IP reputation; cubit score; and network security.
What are the key pillars of DORA?
Included in DORA are five key pillars that will shape how financial services organisations manage ICT and cyber risks:
- ICT risk management
- Incident reporting
- Digital operational resilience testing
- Third-party risk management
- Sharing of information and intelligence
How can an organisation improve its cyber resilience and prepare for DORA?
For decades, a common way to measure ICT risk has been the color-coded stoplight system, where the color “green” signifies having met the requirement, “yellow” signifies partially met, and “red” signifies not met.
In today’s dynamic threat environment, however, this simply isn’t good enough.
Policymakers and business executives should demand greater accountability about the security postures of the organisations that affect them, whether it’s a regulated entity, their own organisation, or a third-party partner (such as a supplier).
Data and measurement methodologies exist that can empower leaders to better understand their risk exposure and the options and tradeoffs for reducing it.
What can my organisation do now to comply with DORA?
Cybersecurity is no longer just an ICT issue, which means that compliance with DORA shouldn’t be the sole responsibility of the CISO.
Involving legal, compliance, risk management, and other relevant teams from the start will ensure your organisation can meet the DORA requirements faster and more efficiently.
While DORA won’t be enforced until 2024, firms should start planning now for how to align with the new regulations.
Most firms that fall under DORA’s scope no doubt have some of these policies and protocols in place, but this is an opportunity to streamline cybersecurity and, in doing so, boost our collective cyber resilience.
Please also take a look at our upcoming virtual event, FinTech LIVE London, coming on 8-9 November 2023.
BizClik is a global provider of B2B digital media platforms that provides executive communities for CEOs, CFOs, CMOs, Sustainability Leaders, Procurement & Supply Chain Leaders, Technology & AI Leaders, Cyber Leaders, FinTech & InsurTech Leaders as well as covering industries such as Manufacturing, Mining, Energy, EV, Construction, Healthcare, and Food & Drink.
BizClik – based in London, Dubai, and New York – offers services such as Content Creation, Advertising & Sponsorship Solutions, Webinars & Events.
- Top 10 fintech startups based in the US 2023Financial Services (FinServ)
- Papara will focus on M&A amid expansion, neobank's boss saysBanking
- DFINITY: VC funding is in decline; how can Web3s raise now?Financial Services (FinServ)
- Fintech Vero Technologies raises US$8.5m in Series A fundingFinancial Services (FinServ)