DORA & the Importance of Cybersecurity in the Financial Services Industry
Arguably, the two biggest non-financial risks that financial services organizations face today are operational resilience and cybersecurity. Case in point: When looking at insurance claims within the sector, the main cause of value loss is cyberattacks.
How we got here is a convoluted lesson in recent history, though broadly speaking, key factors include the pandemic, the continued march toward digitization and the global rise in remote work, all of which helped set the stage for a wave of operational failures and cybercrime.
As a result, financial institutions face a multitude of threats to their operational stability, including cyberattacks, systemic failure, data theft, ransomware and loss of reputation, which all would have been inconceivable a short time ago. Given the consumer impact of even a temporary loss of operations for organizations within the financial services industry, it’s no surprise that new legislation and regulations are being embraced globally.
The EU’s Digital Operational Resilience Act (DORA) is one of several forthcoming pieces of EU legislation, including the updated Network and Information Security (NIS2) Directive, the Cyber Resilience Act and the EU Cybersecurity Act, intended to protect and improve the security and stability of financial services operations. The UK, U.S. and several other jurisdictions have adopted similar provisions or are consulting on proposals to address these threats.
The European Council formally adopted DORA on November 28, 2022. Financial institutions across the EU will now need to ensure that they are compliant with these regulations by Q4 2024, which seems a long way away — but there is a lot of work to be done.
DORA Explained
As noted by Forbes, “DORA intends to increase the standards of digital resilience frameworks, including how companies must report cybersecurity incidents and manage Information and Communication Technologies (ICT) third-party risk across the financial services sector and EU member states.” Forbes goes on to note five key pillars of the legislation:
- ICT risk management
- ICT incident reporting
- Digital operational resiliency testing
- Information and intelligence sharing
- ICT third-party risk management
To put it another way, DORA expands and deepens regulations on resilience and security measures, as well as extends those requirements to third-party ICT providers.
An Industry at Risk
In February 2020, the European Systemic Risk Board (ESRB) published research on the potential impact of cyberattacks on the financial services industry. The ESRB noted that “…a cyber incident could indeed evolve into a systemic cyber crisis that threatens financial stability. The ESRB has therefore identified cyber risk as one of the sources of systemic risk to the financial system which could have serious negative consequences for the real economy.” The ESRB is particularly concerned that, “Some recent incidents have demonstrated the perpetrators’ ability to penetrate the networks of large organizations and incapacitate them quickly. Cyber incidents can also spread widely across sectors and beyond geographical borders.”
Beyond the Borders of Europe
DORA establishes a new global benchmark for operational resilience and should be viewed as a response to challenges faced by financial services companies across the globe in protecting and preserving data and services for consumers. And this should be viewed as a global challenge, as it isn’t limited to companies operating only within the borders of the EU, or even within the financial services industry.
Business Insider reported that hackers “secretly broke into Texas-based SolarWind's systems and added malicious code into the company's software system… Beginning as early as March of 2020, SolarWinds unwittingly sent out software updates to its customers that included the hacked code. The code created a backdoor to customer's information technology systems, which hackers then used to install even more malware that helped them spy on companies and organizations.”
While there is no guarantee that operational resiliency testing as required by DORA would have prevented this incident, preparations and increased scrutiny of third-party vendors certainly could have helped mitigate the overall impact of the attack.
Charting a Course to Safe Operations
Financial services institutions are obviously an attractive target for bad actors with their abundance of personal data, financial accounts, records and money. However, many non-financial organizations are also targets for cyberattacks, like ransomware, which have the potential to hold an institution financially hostage and cause significant harm to its reputation.
Until such time as regulations like DORA, the EU Cybersecurity Act, Cyber Resilience Act, NIS 2 and General Data Protection Regulation (GDPR) are common practice across the world, such threats will remain. There is also the potential for such measures to cause bad actors to seek weaker targets in other industries or jurisdictions. In a previous article from EPAM, a number of best practices were identified which could help organizations minimize their cybersecurity risk exposure:
- Individual awareness and training: It’s increasingly important organizations offer a robust set of training and materials to ensure that employees operate their systems in the most secure fashion.
- Systems and platform security: To ensure digital ecosystems have the necessary protections, organizations should engage in ongoing reviews and assessments of their security capabilities.:
- Start with a framework for setting the baseline across your organization, suppliers and customers.
- Map and then continuously reduce your attack surface.
- Embrace Zero Trust Access principals (least privilege, small units of work, always verify, practice micro-segmentation, etc.).
- Ensuring Business Continuity: All cybersecurity is designed to protect an organization’s business operations and ensure their continuity. When leading and planning your cybersecurity response, organizations should prioritize and focus their efforts on the areas that could most likely lead to an interruption of operations.
Ultimately, with the right training and security in place, organizations can limit their exposure to risk and focus on ensuring minimal disruption to operations.
Cybersecurity is a Team Effort
Whether your organization operates within the financial services industry or not, operational resilience and cybersecurity need to be a team effort. This might mean organizational education to help everyone within the company understand the importance of adhering to best practices, partnering with a trusted independent third-party for an assessment or other solutions.
A chain is only as strong as its weakest link; so too is an organization’s effort to withstand operational and security incidents. Identifying and strengthening your weak links will be key in preparing for the future of cyberattacks.