Written by: Raluca Saceanu, Chief Executive Officer

In the previous year, the financial sector regained its status as the industry with the highest incidence of data breaches. This ‘renaissance’ highlights the sector’s attractiveness for cyber criminals, driven by both the potential for financial gain and the high amount of sensitive customer data it manages. Financial institutions are constantly innovating, yet, with innovation comes an array of cyber threats and risks that compound the problem – and it’s not just their internal cybersecurity risks. We need to scrutinise the resilience of their supply chain. Fintech organisations, in particular, occupy a unique position within this ecosystem, often serving as intermediaries between various entities across industries. Therefore, examining the cybersecurity posture of these organisations is vital, as they form critical nodes within a complex network of interconnected systems and data flows.

It is evident that the industry needs more robust frameworks to ensure operational continuity and customer trust – and soon we will welcome DORA, the EU Digital Operational Resilience Act, setting forth comprehensive guidelines for financial institutions to strengthen their digital resilience capabilities. As the countdown to DORA’s implementation ticks away, it’s important for financial entities to embark on a strategic journey to navigate the complexities of compliance and strengthen their security postures.

Challenges on the Compliance Horizon

As the deadline for DORA compliance looms, financial institutions confront an array of challenges. Resource constraints, lack of expertise, and the need for organisational restructuring pose challenges on the path to compliance. For many companies, the burden of aligning with DORA’s stringent requirements may seem overwhelming. When we meet with CISOs and CIOs, we discuss their compliance requirements and particularly, their challenges when it comes to readiness for DORA. Here are a few challenges that come up in conversation regularly:

1. Resource Constraints: Many CISOs are grappling with limited resources, including budgetary constraints and staffing shortages, which hinder their ability to dedicate adequate time and personnel to navigating the complexities of DORA compliance.
2. Lack of Clarity in Regulatory Guidance: Security leaders are often confronted with ambiguous regulatory guidance, making it difficult to interpret DORA’s requirements accurately. Even though we are 9 months away from the implementation of DORA (at the time of writing), we see a lack of clear, prescriptive guidelines and standardised frameworks for compliance assessments – there is a lot of room for interpretation, leading to uncertainty and delays in implementation, which is why security and compliance leaders are still finding it challenging to assess readiness.
3. Technological Complexity and Legacy systems: The technological landscape within financial institutions is multifaceted and rapidly evolving, encompassing a myriad of interconnected systems, applications, and infrastructure components. Many CISOs are challenged with the formidable task of aligning DORA’s specific requirements with their current technological setups. This creates added complexity. They need to find the gaps, address them and manage them while ensuring continuity. Moreover, many financial institutions rely on outdated infrastructure and applications that lack native support for contemporary security protocols and controls. CISOs face the challenge of retrofitting legacy systems with robust security measures while ensuring seamless interoperability with newer technologies. However, we also see a lot of organisations undergoing a complete ‘revamp’ of their tech stack with a focus on consolidation and simplification – a challenge in itself.
4. Third-Party Dependency: Financial institutions rely on a vast network of third-party vendors and service providers to deliver essential ICT services and support business operations. Security leaders encounter challenges in assessing and managing the cybersecurity risks posed by third-party entities, including limited visibility into vendor practices, varying levels of security maturity, and the potential for supply chain disruptions. This is why many organisations are outsourcing their Third Party Security Management (TPSM) to ensure that they can deal with the problem more effectively.
5. Evolving Threat Landscape: And of course, the dynamic nature of cyber threats presents a constant challenge for CISOs tasked with ensuring DORA compliance. As cybercriminal tactics evolve, CISOs must continuously adapt their security strategies, implement proactive threat detection measures, and strengthen incident response capabilities to mitigate the risk of ICT-related incidents and breaches.
6. Data Fragmentation and Classification: CISOs are confronted with the task of managing and classifying vast volumes of sensitive data scattered across disparate systems and platforms to adhere to DORA’s data protection requirements. Financial institutions often grapple with data fragmentation, where sensitive information resides in siloed repositories across various departments and business units. Security leaders are struggling to identify, classify, and protect sensitive data assets, which is why we are now seeing a shift towards implementing data security posture management solutions to deal with this challenging data problem.

Understanding the Scope of DORA

With DORA comes a bit of change. The act represents a paradigm shift in regulatory expectations, mandating a holistic approach to digital resilience. It encompasses a myriad of facets, spanning cyber protection, detection, containment, recovery, and response capabilities. DORA emphasises the importance of proactive risk management, resilience testing, and collaboration among financial institutions and regulatory authorities to ensure the stability and security of the financial ecosystem in the face of evolving cyber threats.

DORA encompasses five fundamental pillars, each targeting different facets of ICT and cybersecurity:

1. ICT Risk Management
2. ICT Incident Management, Classification & Reporting
3. Digital Operational Resilience Testing
4. Third-Party Provider Risk Management
5. Information Sharing

Let’s have a look at each of the requirements and practical ways to tackle them:

ICT Risk Management

DORA mandates that an entity’s management body takes responsibility for ICT management. Board members, executives, and senior managers must define risk management strategies, actively participate in execution, and stay updated on ICT risk landscapes. They can be held personally accountable for non-compliance.

Firstly, financial organisations must develop comprehensive ICT risk management frameworks and implement cybersecurity protection measures like identity and access management policies, patch management, and technical controls. One of the key elements is that organisations are required to have mechanisms in place to detect and promptly respond to ICT-related incidents. Fundamental to this is implementing real-time monitoring tools and threat intelligence systems. In the event of a cybersecurity incident, organisations must have procedures in place to contain the impact and prevent further spread of the threat. This may involve isolating affected systems, disabling compromised accounts, and implementing temporary security controls.

Practical tips to address the ICT Risk Management pillar:

• – Develop and implement a robust risk management framework that aligns with the principles outlined in DORA. This framework should include processes for identifying, assessing, and mitigating ICT and cybersecurity risks, as well as mechanisms for ongoing monitoring and reporting. Ensure that roles and responsibilities are clearly defined, and that all relevant stakeholders are involved in the risk management process. Conduct regular risk assessments (we recommend on a quarterly basis) and ensure that you have an internal resource (Information Security Risk Manager) who can support this process.

• – Understand your vulnerabilities but go beyond simple vulnerability scanning. Consider your security posture from an exposure management perspective. Have an up-to-date asset inventory, correlated with the vulnerabilities that you have but importantly, ensure that you understand your exposure continuously. Not all vulnerabilities are equal. Consider tools that perform threat modelling to correlate the threat intelligence you consume with the assets inside (and outside!) of your environment, and understand the risks you face: exploitable gaps prioritised based on the impact on your organisation. Vulnerability scanning tools will not do this for you and the chances are that your teams are under resourced and dealing with too many vulnerabilities, so they won’t either.
• – Enforce strong access controls and authentication mechanisms, such as MFA. MFA is important, but think beyond just MFA, consider conditional access. Conditional Access involves setting specific conditions for access permissions, such as user location, device used, or group membership.
• – Consider a strong EDR technology, ensure that your team is capable and available to respond to alerts on a 24/7 basis, have strong firewalls in place but also a dedicated team that manages firewall rules, policies and configurations on a constant basis.

• – Invest in a good SIEM but don’t forget to invest in detection engineering. This involves the proactive design, implementation, and optimisation of detection mechanisms tailored to YOUR unique threat landscape and risk profile. This includes developing custom detection rules, creating behavioural analytics, and fine-tuning correlation logic within the SIEM to identify indicators of compromise and suspicious activities that may evade your security controls. You will need a good team comprised of security analysts to monitor your alerts and a good team of SIEM engineers to support your detection engineering. Moreover, establish incident detection and response procedures, including defined alert thresholds, automated response actions, and escalation paths for critical incidents. Your Incident Response plan needs to be practical, effective and containing both technical responses as well as good communication elements. Test your plan annually and if you are not sure about its effectiveness, seek external help from companies that do this on a daily basis.

• – Implement threat intelligence feeds to proactively identify cyber threats and vulnerabilities relevant to your industry and infrastructure. If you have a SIEM in place, you are most likely ingesting good TI feeds. The problem with these feeds is that they are not customised to your organisation or industry. Earlier, we spoke about customised threat intelligence and threat modelling – you need to ensure that your SIEM & SOC operations have exposure management capabilities in place to ingest, digest and validate threats that your organisation faces.

• – Implement network segmentation to limit the lateral movement of threats and contain the impact of breaches to specific segments of the infrastructure.

• – Maintain a library of pre-configured security controls and policies that can be quickly deployed to contain incidents and prevent further exploitation.

ICT Incident Management, Classification & Reporting

A new set of technical standards crafted by the European Supervisory Authorities have been published and presented to the European Commission for adoption. This represents the latest update on DORA implementation. Let’s dive into the details.

DORA mandates financial entities, including credit institutions, pension funds, investment fund managers, and insurance undertakings, to establish procedures for detecting, managing, and reporting ICT-related incidents. While certain entities like payment institutions already adhere to sector-specific regulations, proposed Regulatory Technical Standards on incident classification aim to align measures across all financial entities under DORA. The RTSs propose a two-step approach for determining whether an ICT-related incident is major, with the first step assessing its impact on critical services and the second step applying additional criteria.

The proposed classification criteria cover various aspects including clients, counterparts, and transactions, data losses, reputational impact, duration and service downtime, geographical spread, and economic impact. If an incident meets the thresholds defined for any of these criteria, it is classified as major and must be reported to the relevant competent authority. Financial entities are required to submit initial notifications, intermediate reports for significant changes, and comprehensive final reports once root-cause analysis is completed, regardless of mitigating measures implemented.

Additionally, recurring ICT incidents, meeting specified conditions, must be classified as major even if individually they don’t meet the criteria. Smaller financial entities and microenterprises are exempted from reporting recurring incidents. DORA also mandates financial entities to classify cyber threats as significant based on their potential risk to critical functions and probability of occurrence. While notification of significant cyber threats to competent authorities is voluntary, it’s encouraged for potential systemic risks or significant impact on service users or clients.

Practical ways to address this requirement:

• – As per our previous recommendation, ensure that your organisation has a robust 24/7 monitoring solution in place to promptly detect ICT-related incidents as per the requirements of the new technical standards. This monitoring solution should encompass all critical ICT systems and infrastructure to provide comprehensive coverage and timely detection of potential threats.

• – Data loss is an important criterion for understanding the materiality of an incident. It’s important to invest in data security posture management tools to ensure that your organisation monitors and assesses the security of your data across all environments.

• – Revise your incident reporting procedures to align with the specific requirements outlined in the new technical standards. Incident reports should include detailed information such as the nature of the incident, its impact on critical services, any malicious unauthorised access detected, and other relevant criteria specified by the standards. This ensures that your incident reports meet the stringent requirements set forth by regulatory authorities.

• – If your organisation outsources its Security Operations Centre, collaborate closely with your SOC provider to ensure that incident reporting requirements are met effectively. Reporting templates should match your requirements. Your SOC provider should facilitate the timely and accurate reporting of ICT-related incidents in accordance with the new technical standards. Establish clear communication channels and protocols to streamline the incident reporting process and ensure regulatory compliance.

• – Conduct regular reviews of your incident management practices assessing their effectiveness and alignment with the new technical standards. Identify any gaps or areas for improvement and take proactive measures to address them. This includes updating incident response plans, conducting training sessions for staff members involved in incident management, and refining reporting templates to meet evolving regulatory requirements.

• – Write a response plan that is practical, easy to understand and includes all the necessary & effective steps for addressing incidents. Give examples of incident severity and how to respond to each. Make sure that you include contact details of your IR/SOC, IT, C-level execs, PR, Comms, Legal teams and any other third parties (insurance, MDR provider etc.) that need to be involved.

• – Set up an emergency communication channel other than your Teams or Slack in the event that your organisational technology is unavailable during an incident.

• – And my favourite part: response effectiveness. How will you know whether your incident management and response plan are effective if you don’t regularly (and properly) test them? The reality is that organisations do it wrong. Here’s why:

• – They don’t involve ALL stakeholders in incident response tabletop exercises. Even more worrying, they don’t have up-to-date communication details of critical stakeholders or emergency channels set up that can be activated during an incident.

• – They don’t fully understand their security controls and they underestimate the complexity of attacks. Many organisations conduct tabletop exercises with simplistic scenarios that do not adequately challenge response capabilities. As a result, teams may develop a false sense of security and be ill-prepared to handle more sophisticated attacks.
• – They lack proper follow up. After conducting exercises, many organisations fail to conduct thorough post-mortem reviews to identify lessons learned and areas for improvement. This is highly ineffective against evolving threats.

• – Review your plan regularly and seek help if you are unsure about the effectiveness of it.

• – Create scenarios that are RELEVANT and DIFFICULT.

• – Document all tabletop exercises as well as genuine incidents to ensure that you incorporate lessons learned

Digital Operational Resilience Testing

DORA mandates that financial institutions have comprehensive recovery plans in place to restore normal operations following a cyber incident. This includes data restoration processes, system backups, and continuity planning to minimise downtime and mitigate the impact on business operations.

Practical tips to address this:

• – Establish comprehensive data backup and recovery processes, including regular backups of critical systems and data stored in secure locations. Conduct periodic disaster recovery drills to test your organisation’s ability to restore operations in the event of a cyber incident, including data restoration and system recovery procedures. Regularly test backup and recovery procedures to verify the integrity of backup data and the effectiveness of recovery processes. Conduct drills and simulations to validate recovery time objectives (RTOs) and recovery point objectives (RPOs) for critical systems and applications.

• – Store backup copies of critical systems and data in secure, off-site locations to protect against localised disasters, such as fires, floods, or physical theft. Choose geographically diverse locations to ensure redundancy and minimise the risk of data loss.

• – Monitor backup performance and reliability metrics to identify any issues or anomalies that may affect data protection and recovery operations. Implement proactive alerting and reporting mechanisms to quickly address backup failures or data corruption issues. If you outsource your back-up management to a third party, it’s time to review the contract and the SLAs.

• – Develop business continuity plans that outline strategies for maintaining essential functions during disruptions, including alternative communication channels and temporary work arrangements.

• – Clearly define roles and responsibilities for managing and executing the disaster recovery plans within your organisation. Designate specific individuals or teams responsible for overseeing backup operations, conducting recovery drills, and coordinating response efforts during cyber incidents or disasters. TEST IT! Ensure that key stakeholders are aware of their roles and responsibilities and are trained to execute their tasks effectively.

• – Conduct regular Red / Purple Team Assessment, to address higher levels of risk exposure. 

ICT third-party risk

One unique aspect of DORA is that it applies not only to financial entities but also to the providers that service the financial sector. So, make sure you’re keeping a close eye on the risks tied to your third-party ICT providers. Ensure robust risk monitoring of dependencies on third-party ICT providers by having consistent critical aspects of service relationships to facilitate comprehensive oversight. Contracts with these providers should include detailed service level descriptions and data processing locations. Critical ICT third-party service providers will be subject to direct oversight from relevant ESAs.

Here are practical tips on how to address this requirement:

• – Map out your organisation’s third-party ICT dependencies. Include key dependencies in your incident response plan

• – Implement a comprehensive third-party risk management program and regularly audit your suppliers. It’s important to classify your suppliers according to their criticality and ensure that the auditing reflects that

• – Conduct thorough due diligence on potential third-party service providers to evaluate their operational resilience capabilities

Information Sharing

The Information Sharing requirements mandated by DORA represent a significant step towards enhancing the resilience of the financial sector in the face of evolving ICT-related risks. This should be the standard for all organisations, not just financial entities, as promoting collaboration and communication among private/public entities, regulatory authorities, and relevant stakeholders is essential for effective incident response and mitigation. Embracing a culture of information sharing not only enables organisations to stay abreast of emerging threats and vulnerabilities but also fosters a collective approach to managing operational disruptions and cyber threats. Therefore, implementing robust information sharing practices should be considered a fundamental aspect of operational resilience and embraced by all stakeholders across the financial sector.

Practical ways to address this:

• – Engage with industry forums, conferences, and events focused on cybersecurity, operational resilience, and ICT risk management. These platforms provide opportunities to network with peers, share insights and experiences, and stay updated on emerging trends and best practices in information sharing.

• – Explore and join information sharing initiatives and partnerships facilitated by industry associations, government agencies, and international organisations. These collaborative platforms offer secure channels for sharing threat intelligence, incident reports, and best practices with other financial entities

• – Develop formalised information sharing agreements with peer institutions, regulatory authorities, and relevant stakeholders.

• – Invest in good threat intelligence solutions that offer customised TI for your organisation.

Conclusion:

In the era of digital disruption, regulatory frameworks such as DORA represent a watershed moment for the financial services industry. By embracing proactive measures to enhance digital resilience, financial institutions can mitigate risks, enhance customer trust, and ensure operational continuity in the face of evolving cyber threats. Through strategic investments in technology, governance, and compliance, financial institutions can navigate the complexities of DORA and increase their resilience to ICT-related incidents.

As we embark on the journey towards DORA compliance, collaboration and knowledge sharing emerge as indispensable pillars of success. Regulatory bodies, industry associations, and cybersecurity experts must collaborate to provide guidance, facilitate knowledge exchange, and address emerging challenges. By fostering a collaborative ecosystem, stakeholders can collectively navigate the complexities of DORA compliance and pave the way for a resilient digital future.

Upcoming Webinar