In 2023, 78 percent of European financial institutions experienced a data breach involving a third party, according to recent research undertaken by Security Scorecard. And 84 percent of financial organizations have experienced a breach involving a fourth party.
Regulators and authorities are keen to strengthen financial institutions’ defense against cyberattacks and other information and communication technology incidents.
What Is DORA?
The Digital Operational Resilience Act, set to come into effect in January 2025, aims to change the data security regulatory landscape by mandating financial institutions adopt a proactive, multi-layered approach to managing ICT-related risks.
The regulation will introduce robust requirements for protection, detection, containment, recovery and repair in the event of cyber incidents or technological disruptions. DORA sets out a series of stringent requirements that financial companies must meet such as risk management, incident reporting, third-party risk management, digital operational resilience testing and threat intelligence sharing, to ensure robust digital resilience.
DORA seeks to drive and harmonize operational resilience improvements across the E.U.’s 22,000 financial entities.
It applies not just to banks, but to credit institutions, payments providers, insurance companies, investment firms, fund managers, pension funds, crypto-asset services, information technology third-party services, crowdfunding services and more.
The new regulation will provide the foundation for building financial systems that are agile and prepared for the digital threats of today and tomorrow.
Why Compliance Is Imperative Right Now
Failure to comply with the new regulations could land financial institutions in hot water, resulting in high fines similar to those associated with GDPR. These fines can increase daily until the issue is resolved, hitting organizations hard financially and impacting their reputations.
For example, when a cyber incident occurs, organizations are required to notify authorities and affected parties within a 72-hour window. If they don’t, the details of the breach will be made public.
These companies need to constantly monitor their IT environment for possible threats and breaches and be prepared to respond appropriately. To achieve this, they must implement advanced threat detection systems, a robust incident response plan and gain a clear understanding of the vulnerabilities in their organization’s systems.
Without proper monitoring, organizations could be missing key indicators of a breach and may fail to notify the appropriate regulatory bodies on time, which could compound the consequences.
Partner With Experts to Create a Compliance Roadmap
To prepare for these new regulations and assess your preparedness, every organization should undergo a comprehensive resilience review and gap analysis. This requires an in-depth evaluation of key components, such as the current state of security infrastructure, incident response capabilities and ongoing monitoring efforts.
Getting to the heart of these requirements while dealing with the day-to-day can be challenging. This is where engaging with independent external specialists and third-party vendors to conduct these critical resilience reviews can really help.
Third parties can help businesses build out a compliance roadmap — a clear plan outlining the steps the organization must take to achieve and maintain compliance. Having a plan will help you prioritize the projects that will have the greatest impact on improving the organization’s security posture and minimizing risk.
Part of this process involves juggling various compliance projects, as well as prioritizing the aspects of cybersecurity that will have the most significant impact. With an expert-led roadmap, organizations can better allocate their resources and ensure that their efforts are directed toward mitigating the most pressing threats.
Involve Senior Management in Reviewing Your Cybersecurity Frameworks
A well-written incident response plan is crucial, but equally important is how the organization responds and conducts thorough ICT exercises to stay prepared.
You must examine the existing frameworks and procedures for handling cyber incidents, ensuring that they align with regulatory requirements. This includes determining what infrastructure exists internally for cybersecurity recovery and whether it can support the organization in the event of a major breach.
Additionally, establish board-level accountability for cybersecurity, which you must view as a core business concern requiring involvement from senior management and the board of directors. Ensuring that the board is fully aware of the risks and has a direct role in overseeing cybersecurity initiatives helps embed a culture of security throughout the organization.
Monitor Security Protocols Continuously
Ongoing monitoring of risk factors is essential to maintaining a strong security posture and staying competitive.
Today, cyber threats evolve rapidly, and staying one step ahead requires diligent lifecycle management of IT systems, security protocols and risk. Organizations must continuously assess where they stand in terms of compliance and risk management, revisiting and refining their processes.
Companies need to actively embrace a lifecycle management approach — understand, plan, test and repeat — to ensure they’re prepared when a cyber incident occurs, and that they can recover quickly and demonstrate the resilience that regulations like DORA seek to instill.
