Exploring DORA: Making Digital Resilience a Legal Requirement
- Pravin Vijay, Senior Financial Services Solutions Engineer at Zayo Europe
- 12.07.2024 01:00 pm #DORA #security #finserv
It’s no secret that the financial services industry is a high-value target for hackers. While the exact motives for attacks differ, there is the opportunity for financial gain through extortion, operational disruption, market manipulation and the theft of customer data. Similarly, some may be driven by the chaos that ensues when people are unable to access their personal finances.
Zayo’s data highlights the sheer size of the issue, as financial services organisations witnessed a 93% increase in DDoS attacks from Q1 to Q4 last year. These attacks have not just become more frequent, either. The average duration of an attack against a financial services organisation was almost 40 minutes, which is about twice as long as those against retailers.
Establishing a strong defence
To help the industry combat this growing threat landscape, the EU announced the Digital Operational Resilience Act (DORA), a framework that aims to strengthen the cybersecurity of financial institutions, including banks, investment firms, fintechs and insurance companies. The act is a combined effort between the European Banking Authority, European Securities and Markets Authority & European Insurance and Occupational Pensions Authority, which gives it a vast remit and wide-ranging enforcement powers.
The act specifically targets the robustness and resilience of digital operations throughout the sector, and also covers third-party technology service providers working in the industry. It constitutes a landmark shift in approach in the financial sector, where operational resilience becomes the priority.
Industry organisations operating within the EU have until January 2025 to comply, but UK firms should also take notice, as the UK is currently working up its own separate version of DORA. Once both versions of the legislation are active, any UK technology businesses with financial customers in the EU will need to comply with both regulatory regimes simultaneously.
To comply with DORA, firms must implement a comprehensive framework addressing five pillars; ICT risk management, incident reporting, digital operational resilience testing, third-party risk management, and information sharing. Ultimately, this involves developing strategies for prevention, response, and recovery; and ensuring proper management and staff education.
DORA has teeth
European Supervisory Authorities (ESAs) are responsible for imposing rigorous financial penalties to ensure digital operational resilience in the industry. They have supervisory and investigatory powers, including the ability to publish notices of administrative penalties. To comply, critical service providers must establish an EU subsidiary within 12 months of designation.
Penalties for breaches can be severe, with institutions facing fines of up to 2% of annual global turnover or up to 1% of daily global turnover. Individuals and companies could be fined up to €1.000.000, while critical third-party ICT service providers may incur even harsher penalties - up to €5.000.000 or €500.000 for individuals.
Even if policymakers and regulators follow all the rules and recommendations, the industry’s dependence on technology and its exposure to human failures does not change. As a result, regulators must also strengthen in-house tech expertise, depoliticise cybersecurity in a borderless world, and make use of new technologies.
Building on solid foundations
Crucially, before implementing the measures stipulated in DORA, firms must ensure a strong foundation is in place. In order to ensure compliance with the various elements of this new legislation, organisations will require an agile network infrastructure that serves as the backbone for connectivity and security measures.
Outdated and legacy technologies at any point in an organisation’s network infrastructure could now create a problem for compliance. Once both regulatory environments are operating side-by-side, it will be an operational imperative for organisations of all sizes to ensure that there is no weak point in their network. Without this robust and flexible infrastructure, effective security and compliance will become impossible.
Oversight problems can be caused by having too many vendors, too many tools or too many links in the chain, all of which can cause an organisation to fall foul of DORA. While the industry ramps up its preparation for the implementation of DORA in January 2025, many are focusing on that essential first step of ensuring their network foundations are secure, resilient and future-proofed.