Het is geen geheim dat de financiële sector een serieus doelwit is voor cybercriminelen, waardoor er strengere regelgeving nodig is om deze instellingen en hun werknemers- en klantgegevens te helpen beschermen.
Recent research from Security Scorecard shows that 78% of European financial institutions will have suffered a data breach involving a third party by 2023. In addition, 84% of financial organisations will have suffered a breach involving a fourth party. As a result, regulators and authorities are looking to strengthen financial institutions’ defences against cyberattacks and other information and communications technology (ICT) incidents.
The new Digital Operational Resilience Act (DORA), which comes into effect in January 2025, aims to transform the data security regulatory landscape by requiring financial institutions to take a proactive, multi-layered approach to managing ICT-related risks. The regulation introduces robust new requirements for protection, detection, containment, recovery and repair in the event of cyber incidents or technology disruptions. DORA sets out a series of stringent requirements that financial firms must comply with, such as risk management, incident reporting, third-party risk management, digital operational resilience testing and threat intelligence sharing, to ensure robust digital resilience.
DORA aims to implement and harmonise improvements in the operational resilience of the 22,000 financial institutions in the EU. It applies not only to banks, but also to credit institutions, payment providers, insurance companies, investment firms, fund managers, pension funds, crypto-asset trading services, third-party IT services, crowdfunding services and more. The new regulation lays the foundation for building financial systems that are resilient and prepared for the digital threats of today and tomorrow.
The consequences of non-compliance
Financial institutions that fail to comply with the new regulations could find themselves in serious trouble, with large fines as with GDPR non-compliance. These fines could increase daily until the issue is resolved, causing organizations to suffer financially, with negative consequences for the reputation of the non-compliant organization.
For example, if a cyber incident occurs, organizations must notify regulatory authorities and affected parties within 72 hours. Failure to do so will result in the details of the breach being made public. Therefore, it is critical that these companies continuously monitor their IT environment for potential threats and breaches and be prepared to respond appropriately. To do this, they must implement advanced threat detection systems, a robust incident response plan, and gain clear visibility into the vulnerabilities in the organization’s systems. Without proper monitoring, organizations may miss key indicators of a breach and potentially fail to notify the appropriate regulatory authorities in a timely manner, further exacerbating the consequences.
Collaborate with experts to design a strong compliance framework
In preparation for this new regulation, every organization must undergo a comprehensive resilience assessment and gap analysis. This assesses how well the organization is prepared for a cyber incident and how well the organization is able to recover quickly from it. A thorough evaluation is done on key areas, including the current state of the security infrastructure, the capacity to respond to incidents and improving continuous monitoring.
However, due to the busyness of day-to-day business operations, it can be difficult to follow these requirements down to the core. This is where it can really help to engage independent third-party specialists and third-party vendors to perform these critical resilience assessments. These third parties can help companies create a compliance roadmap, a clear plan that outlines the steps the organization needs to take to meet the requirements and maintain compliance. Such a plan helps to prioritize projects that will have the greatest impact on improving the security of the organization and minimizing risk.
Part of this process involves time-management of various compliance projects and prioritizing the aspects of cybersecurity that will have the greatest impact. With an expert-led roadmap, organizations can better allocate their resources and ensure that their initiatives are focused on mitigating the most pressing threats.
Incident response strategies and taking responsibility at the board level
A key component of any resilience assessment is the organization’s incident response process. A well-written incident response plan is essential, but equally important is how the organization responds and whether it conducts thorough IT testing to remain prepared. It is essential to examine the existing frameworks and procedures for dealing with cyber incidents and ensure they are in line with regulatory requirements. This includes determining what infrastructure exists internally for cybersecurity recovery and whether it can support the organization in the event of a major breach.
In addition, it is important that board level accountability for cybersecurity is taken. This should be seen as a core activity that requires the involvement of senior management and the board of directors. When the board is fully aware of the risks and plays a direct role in overseeing cybersecurity initiatives, it can help to establish a security culture throughout the organization.
Continuous monitoring and lifecycle management
Continuous monitoring of risk factors is essential to maintaining a strong security position, and such a program positively differentiates the organization from its competitors.
Today’s cyber threats are evolving rapidly, and staying ahead of them requires careful lifecycle management of IT systems, security protocols, and risk. Organizations must continually assess where they stand in terms of compliance and risk management, and continually evaluate and refine their processes. Businesses must embrace an active lifecycle management approach — understand, plan, test, and repeat — so that when a cyber incident occurs, they are prepared, but more importantly, can recover quickly and demonstrate the resilience that regulations like DORA aim to instill.
