It is no secret that the financial industry is a serious target for cyber criminals, driving the need for more stringent regulations to help protect these institutions and their employee and customer data.
Recent research undertaken by
Security Scorecard indicates that in 2023, 78% of European financial institutions experienced a data breach involving a third party. Also, 84% of financial organizations have been affected by a breach involving a fourth party. Therefore, regulators and authorities are keen to strengthen financial institutions’ defense against cyber-attacks and other Information and Communication Technology (ICT) incidents.
The upcoming Digital Operational Resilience Act (DORA), set to come into effect in January 2025, aims to change the data security regulatory landscape by mandating financial institutions adopt a proactive, multi-layered approach to managing ICT-related risks. The regulation will introduce robust requirements for protection, detection, containment, recovery and repair in the event of cyber incidents or technological disruptions. DORA sets out a series of stringent requirements that financial companies must meet such as risk management, incident reporting, third-party risk management, digital operational resilience testing and threat intelligence sharing, to ensure robust digital resilience.
DORA seeks to drive and harmonize operational resilience improvements across the EU’s 22,000 financial entities. It applies not just to banks, but to credit institutions, payments providers, insurance companies, investment firms, fund managers, pension funds, crypto-asset services, IT third-party services, crowdfunding services, and more. The new regulation will provide the foundation for building financial systems that are agile and prepared for the digital threats of today and tomorrow.
The impact of being non-compliant
Failure to comply with the new regulations could land financial institutions in hot water, resulting in high fines similar to those associated with GDPR. These fines can increase daily until the issue is resolved, hitting organizations hard financially, and also impacting the reputation of the organization that doesn’t comply with the regulation.
For example, when a cyber incident occurs, organizations will be required to notify authorities and affected parties within a 72-hour window. If they don’t comply, the details of the breach will be made public. As such it is critical that these companies are constantly monitoring their IT environment for possible threats and breaches and are prepared to respond appropriately. To achieve this, they must implement advanced threat detection systems, a robust incident response plan and gain a clear understanding of the vulnerabilities in the organization’s systems. Without proper monitoring, organizations could be missing key indicators of a breach and may fail to notify the appropriate regulatory bodies on time, which could compound the consequences.
Partnering with experts to design a strong compliance framework
In terms of preparing for these new regulations, every organization should undergo a comprehensive resilience review and gap analysis. This will assess how prepared the organization is to handle a cyber incident, and its ability to recover from it swiftly. This is achieved with an in-depth evaluation of key components, which include the current state of security infrastructure, incident response capabilities, and ongoing monitoring efforts.
However, getting to the heart of these requirements while dealing with the day-to-day can be challenging. This is where engaging with independent external specialists and third-party vendors to conduct these critical resilience reviews can really help. Such third parties can help businesses build out a compliance roadmap—a clear plan outlining the steps the organization must take to achieve and maintain compliance. Such a plan will help to prioritize the projects that will have the greatest impact on improving the organization’s security posture and minimizing risk.
Part of this process involves time management of various compliance projects, as well as prioritizing the aspects of cybersecurity that will have the most significant impact. With an expert-led roadmap, organizations can better allocate their resources and ensure that their efforts are directed toward mitigating the most pressing threats.
Incident response strategies and board- level accountability
An essential component of any resilience review is the organization’s incident response process. A well-written incident response plan is crucial, but equally important is how the organization responds and conducts thorough ICT exercises to stay prepared. It is critical to examine the existing frameworks and procedures for handling cyber incidents, ensuring that they align with regulatory requirements. This includes determining what infrastructure exists internally for cybersecurity recovery and whether it can support the organization in the event of a major breach.
Additionally, it is important to establish board-level accountability for cybersecurity, which must be viewed as a core business concern requiring involvement from senior management and the board of directors. Ensuring that the board is fully aware of the risks and has a direct role in overseeing cybersecurity initiatives helps embed a culture of security throughout the organization.
Ongoing monitoring and lifecycle management
Ongoing monitoring of risk factors is essential to maintaining a strong security posture, and such a programme will also work to the organization’s advantage against their competitors.
Today cyber threats evolve rapidly, and staying one step ahead requires diligent lifecycle management of IT systems, security protocols, and risk. Organizations must continuously assess where they stand in terms of compliance and risk management, constantly revisiting and refining their processes. Companies need to actively embrace a lifecycle management approach—understand, plan, test, and repeat—to ensure they're prepared when a cyber incident occurs, but more importantly that they can recover quickly and demonstrate the resilience that regulations such as DORA seek to instill.
Sean Tilley is the Director of Sales EMEA at 11:11 Systems.