Author: KYND – www.kynd.io

In response to the rapidly increasing integration of technology in financial firms, and with cyber-attacks becoming more frequent, targeted, and complex than ever, an important new regulation called DORA is now being implemented by the EU.

Having entered into force on 16 January 2023 and becoming applicable from 17 January 2025, DORA is used to enforce effective cyber risk management and drive operational resilience for over 220,000 financial entities in the EU, including but not limited to banks, investment firms, insurance undertakings and intermediaries, crypto asset providers, data reporting providers and cloud service providers. While sharing similar goals with other regulations affecting the sector such as the FCA operational resilience policy or GDPR, the latest framework particularly focuses on Information and Communication Technology (ICT) risk. This implies that the affected organisations will need to adapt by effectively managing their third-party cyber risks and only interacting with third-party vendors that offer ‘high, appropriate, and the latest information security standards’.

But, seemingly straightforward on the surface, what exactly does this new regulation mean for financial firms? And, if your organisation is in scope, how can you ensure you have the right defences in place to ease your compliance with DORA? We answer all of these questions and more in our latest blog. So read on!

So what is DORA?

This isn’t the explorer you’re looking for…DORA is not the adorable quest-solving heroine sporting her iconic bob, but the Digital Operational Resilience Act, which comes into full effect in January 2025, is a new framework proposed by the European Union to help prevent and mitigate cyber threats in the EU financial sector, and ensure continuity of critical services, financial stability and consumer protection. As a binding EU regulation on digital operational resilience for the financial sector, DORA seeks to address potential systemic and concentration risks posed by the sector’s reliance on Information and Communication Technology (ICT) third-party providers (TPPs), and sets rules on ICT risk-management, incident reporting, operational resilience testing and ICT third-party risk monitoring. As such, it will introduce uniform requirements for financial organisations.

DORA requires all financial organisations to ensure their ability to face and withstand cyber threats, outlining criteria for safeguarding the network and information systems of financial institutions and ICT third-party service providers, such as digital service providers and digital service operators. As an EU regulation, UK firms conducting business in Europe will need to comply with its requirements. As it comes into effect in January 2025, it’s important for financial organisations to start paying attention to how this will affect them and their business, and prepare for compliance before the deadline. This may sound easier said than done, but in order to not get lost in the jungles of regulatory changes, KYND helps you explore exactly what DORA compliance involves.

Understanding the five pillars of DORA

DORA separates digital operational resilience into five areas: 1) risk management, 2) incident reporting, 3) digital operational resilience testing, 4) third-party risk management, and 5) information and intelligence sharing. Let’s break down what these mean in a nutshell:

1. Risk Management: Managing cyber risks effectively significantly reduces the chances of cyber incidents. By having regular cyber risk assessments, you can prevent cyber threats before they strike. This pillar requires an organisation’s management body to have implemented the appropriate measures and controls to ensure operational and security risk management, as well as ensuring that their ICT risk management framework is well-documented, outlining strategies, policies and procedures to secure ICT assets and the offline infrastructure supporting them, periodically reviewed and audited.

2. Incident Reporting: DORA introduces fresh obligations for preparing, responding to, and reporting any ICT-related incidents or threats that have occurred. This includes the number of users impacted, duration, geographic spread, data loss, impact to ICT systems, and criticality of services affected. Major incidents must be reported within the same business day and follow-up reporting will be due after a week. A detailed and timely report allows for monitoring and appropriate management of incidents, and for both organisations and regulatory authorities to continuously improve recovery processes.

3. Digital Operational Resilience Testing: Organisations are required to run comprehensive risk-based tests at least once a year. The level of testing required will depend on the nature, scale and complexity of the organisation, but in all cases external testing is necessary to assess readiness for handling ICT-related incidents and identifying weaknesses or gaps in digital operational resilience. As well as annual testing, financial entities will also be required to organise threat-led, live penetration testing every three years (known as a red-team type exercise) that must be performed by independent testers with approval from a DORA regulator to guarantee reliable test outcomes. The preparation for the process can be time-consuming, with approximately 2 years of recommended planning time. Organisations are strongly advised to commence their preparations as early as possibly to ensure sufficient time for regulatory approval, with the deadline set at the end of 2024.

4. Third-Party Risk Management: DORA intends to help prevent systemic economic disruption by ensuring that financial entities have a robust, mature third-party risk management process in place as an integral element of their ICT risk management framework. This involves a defined multi-vendor ICT third-party risk policy strategy, an information register that includes details of all ICT third-party providers, the services they provide, and the functions they support. Additionally, an annual report on any changes made to this register is required. DORA also mandates annual assessments for critical providers to verify their compliance with the regulatory requirements. Failure to demonstrate compliance through standard checks will lead to legal and financial consequences.

5. Information and Intelligence Sharing: DORA envisions the formation of a stronger and more resilient environment for financial firms across Europe through promoting the sharing of critical information on threats and vulnerabilities across financial entities, regulatory authorities and technology providers. This aims to prevent the spread of cybercrime before a major economic impact occurs, as well as support and protect organisations from operational dangers.

Don’t mess with DORA!

It’s clear that no firm should wait until the end of the DORA implementation period, as preparations for compliance represent a significant and time-consuming task. But what are the consequences of non-compliance with DORA?

The new regulation in the realm of financial services places the ultimate responsibility on board members and directors to implement the right measures to prevent and mitigate cyber threats. If an organisation fails to comply with DORA, these individuals will be held accountable. Therefore, senior management teams must begin planning for the necessary changes within their organisations now, ahead of DORA’s official ‘go live’ date in January 2025, to avoid significant repercussions such as reputational damage, shareholder litigation, regulatory fines, and even criminal sanctions – as DORA requires Member States to provide for individual civil liability for board members, and it also leaves open the possibility for Member States to establish criminal liability.

While compliance with these regulations presents challenges, your organisation can leverage this opportunity to strengthen its cybersecurity posture, improve third-party risk management and enhance incident response capabilities.

By prioritising cyber resilience, you can better protect your organisation, maintain the trust of stakeholders, and navigate the evolving threat landscape of the digital era with confidence.

What financial organisations can do to prepare?

While one and a half years may seem long enough to prepare for what’s on the regulatory horizon for the financial services industry, some of the expectations outlined in DORA will require significant time and effort from in-scope entities to implement to meet the required standards. But, as the famous saying goes, before anything else, preparation is the key to success.

There are several key steps you and your financial organisation can take to better prepare for the Digital Operational Resilience Act and ensure compliance. These steps include:

1. Establishing an incident reporting method in line with DORA’s requirements within your organisation:

• Implement a clear and structured incident reporting process that outlines the criteria for reporting operational disruptions or cyber incidents.

• Define roles and responsibilities within your organisation for incident reporting and establish communication channels to promptly notify relevant stakeholders, including regulators if required.

• Ensure that incident reports are documented, analysed, and used to improve incident response and recovery procedures.

2. Enhancing your corporate governance and compliance:

• Appoint dedicated teams or individuals responsible for overseeing operational resilience and compliance with DORA requirements.

• Establish effective communication channels with regulators to stay informed about updates, guidelines, and reporting obligations.

• Regularly review and update internal policies and procedures to align with evolving regulatory requirements.

• Engage in regular audits and assessments to ensure ongoing compliance with DORA’s provisions.

3. Strengthening your organisation’s technology infrastructure and cybersecurity measures:

Invest in robust technology infrastructure to support the organisation’s digital operations and ensure scalability, reliability, and resilience.

• Implement strong cybersecurity measures, including firewalls, encryption, multi-factor authentication, and intrusion detection systems.

• Regularly update software, operating systems, and security patches to address known vulnerabilities and protect against emerging threats.

• Conduct regular vulnerability assessments to identify and address potential weaknesses in the digital infrastructure. If you haven’t already heard, KYND can help you understand and manage your organisation’s exposure easily and effectively. We dive into the details below.

4. Developing a risk management framework for your ICTs:

• Establish a comprehensive risk management framework specifically tailored to your organisation’s information and communication technologies (ICTs).

• Introduce standardised third-party security assessments as a due diligence activity for your organisation when deciding who to cooperate with, and enter into contracts to ensure the overall security of your potential ICT third-party providers, reduce the risk of cyber incidents, and facilitate compliance with legal and policy requirements. Instant and actionable vulnerability reports such as KYND’s can effectively support your organisation in performing pre-contract due diligence for your potential vendors with ease and speed – read more about it below.

• Ensure that the agreements with the ICT third-party providers contain all necessary monitoring and accessibility arrangements, such as a full-service level description, indication of locations where data is being processed, etc.

• Identify and assess potential risks associated with the organisation’s digital infrastructure, including operational, technological, and cyber risks.

• Develop risk mitigation strategies and controls to minimise the likelihood and impact of disruptions in your organisation.

• Implement regular monitoring and reporting mechanisms to track your own risk exposure and that of your service providers, and ensure timely action is taken. At the bottom of this blog, we explain how KYND’s powerful, low-touch cyber risk management technology can help you alleviate unnecessary stress in managing your organisation’s third-party risks.

5. Strengthening your organisation’s incident response and recovery capabilities:

• Establish clear protocols and procedures for incident response and recovery, including escalation paths and decision-making authorities.

• Conduct regular training and drills to ensure your employees are familiar with their roles and responsibilities during cyber incidents.

• Maintain up-to-date contact lists of internal and external stakeholders involved in incident response, including regulators, law enforcement, and relevant vendors.

• Develop a robust business continuity plan to ensure critical functions can be maintained or quickly restored in the event of a disruption.

6. Planning for large-scale penetration testing:

• Conduct regular penetration testing exercises to assess the security and resilience of your organisation’s digital systems. Be sure to engage your critical technology and data service providers in this process too.

• Define specific scenarios and objectives for the pen-testing exercise to simulate real-world cyber threats.

• Engage qualified and independent third-party experts to perform penetration testing and provide objective insights into vulnerabilities and areas for improvement.

• Use the results of pen-testing to enhance cybersecurity measures, address identified weaknesses, and update incident response plans.

7. Investing in employee training and awareness:

• Provide comprehensive training programs to educate your employees about DORA requirements, cyber security best practices, and incident response procedures.

• Foster a culture of digital resilience by promoting employee awareness of potential risks and their role in maintaining operational resilience.

• Encourage reporting of potential vulnerabilities or incidents through internal reporting channels and anonymous reporting mechanisms.