The EU’s Digital Operational Resilience Act (DORA) is expected to come into effect in 2023.
DORA aims to simplify and update the rules on ICT risk management in the face of rapid technology adoption. This includes a focus on incident reporting, digital operational resilience testing, information sharing, and management of ICT third-party supply-chain risks.
It will be a single set of rules to enforce a common standard of operational resilience across the wider EU financial system. In cases of non-compliance, regulators will have the power to impose steep penalties of up to 1% of average daily worldwide turnover from the preceding year.
DORA isn’t just an issue for ICT
DORA regulations (or the UK equivalent) may apply to ICT risk management, but they aren’t limited to ICT. They’ll affect your entire organisation. Your senior management team will be responsible and accountable for monitoring, approving, reviewing, and setting the direction of your organisation’s risk management framework.
Here are some of the biggest challenges your financial services organisation could face in the implementation of DORA, and what you’ll need to do to comply:
Creating a framework for DORA compliance
While many new organisations focus on delivering a minimum viable product and then worry about governance and risk afterwards, DORA will require these to be in place from the start. While this will take considerable time and resource to complete, it will give you an up-to-date overview of the policies, procedures, protocols, and tools needed to protect your organisation’s assets.
Managing cyber risks
The UK financial sector is already mature in managing cyber risk. However, DORA will place a greater responsibility on your organisation to classify, report and respond to threats and incidents.
Although you’ll only need to report major incidents to your national regulator, this will need to be within strict deadlines; fortunately, the process will be standardized across member states and a centralised EU reporting hub may yet be set up, to improve the flow of information around major incidents. Individual companies’ contribution to bolstering EU-wide situational awareness is a driving factor in this harmonisation.
Detecting threats and vulnerabilities
To respond to incidents effectively, you will need put measures in place for regular testing. A far wider range of digital testing—including vulnerability scans, network assessments, and penetration assessments—have been identified as necessary.
These will play a central role in your DORA strategy, and are something you’ll need to regularly review and update to ensure continued compliance. The identification of intelligence or threat-led testing, reflecting the CBEST, TIBER style of penetration testing, is expected to be carried out every three years.
Sharing information
DORA regulations also encourage financial services organisations and third-party providers to share information on cyber threat intelligence, such as security alerts, tactics, procedures, and threat detection.
Fortunately, there are some data sharing platforms already available; in the UK the NCSC has a cyber information sharing platform—CiSP— here such information is shared within the community. The financial sector cyber collaboration centre (FSCCC) has been created to act as a blueprint for collaborative information sharing. This fits with wider EU initiatives to improve cyber information sharing, notably the proposal for a Joint Cyber Unit (JCU). To be operational by June 2022 and fully established by June 2023, the JCU proposes a four-phase approach to building a virtual and physical platform for solidarity and assistance to counter large scale cyber attacks.
Managing third-party risk
Given the increased reliance on outsourced providers and the systemic risk these might present to the ecosystem, there is a focus in DORA on the CTPPs and as a result, your business relationship with suppliers of critical ICT services will change.
Your organisation will need increased oversight of third-party providers, to ensure contracts are DORA compliant, and that you are following suitable risk management procedures. As non-compliance may mean you’ll have to stop using their services, temporarily or even permanently, which could have serious commercial implications, finding a way to mitigate this risk holistically will be key.
Your next steps to DORA compliance
First, you need to determine whether your organisation and your critical ICT third party providers will fall under DORA’s remit (or the UK equivalent), and what you’d need to do to comply.
A cyber security review will help you identify your organisation’s current strengths and weaknesses and provide a roadmap to improvement.
Once your initial review is complete, you can start building a governance and risk management framework and develop information security controls and comprehensive testing plans.
However, given this is a comprehensive people, process and technology shift that will involve the commitment from senior executives, this stage can take time and resource to complete, so it pays to begin early.