Strengthening Cybersecurity: Navigating DORA & Beyond

Organisations are facing significant challenges in cybersecurity as cyber threats continue to evolve rapidly. In response to these concerns, regulatory bodies have implemented strict measures to protect the integrity of IT systems. The EU's Digital Operational Resilience Act (DORA) is one such measure, set to redefine the cyber resilience landscape for organisations across Europe.

DORA's primary objective is clear: to mitigate cyber threats and ICT risks within the EU. However, its scope extends beyond geographical boundaries, emphasising the importance of resilience throughout the interconnected global network. DORA takes effect on January 25^th, 2025.

Why is There a Need for DORA?

As cybersecurity threats increase across all industries, organisations within the financial industry are particularly at risk. Financial institutions across the EU have varied levels of preparedness and resilience to cyber threats and ICT-related incidents. Inconsistent cyber defence across EU member states creates gaps in resilience that can impact financial institutions across the region. Fragmented regulatory requirements make it difficult for cross-border collaboration and uniform compliance, creating significant vulnerabilities. DORA regulates security protocols.

Growing Threat

The financial sector has become a prime target for cyberattacks due to its critical role in the economy and the sensitive data held by financial institutions. Eurofins Scientific, SolarWinds, ING Bank, Lloyds TSB, and Travelex are just a few of the high-profile organisations that have recently been targeted, highlighting cybersecurity vulnerabilities.

Digitalisation of Financial Services

In recent years, financial institutions have undergone rapid digital transformation. This brings a range of benefits for organisations and their customers. However, it also increases reliance on ICT systems. This has in turn increased the potential impact of operational disruptions such as outages, data breaches, and cyberattacks. Regulators have recognised that a unified framework is required to protect the financial system’s stability and security and to protect the resilience of critical financial services. DORA is this framework.

Regulatory Gaps

Previous regulations have focused on financial stability but have lacked comprehensive and consistent requirements for ICT and cybersecurity risk management. Regulatory inconsistencies created gaps in operational resilience and incident reporting, leaving many institutions ill-prepared for major disruptions. Under DORA, organisations will have a clear set of protocols and effective responses to any security incidents.

Strengthening Trust & Stability

The growing number of cyber incidents in the financial sector poses risk for individuals and to the broader financial ecosystem.

DORA is designed not only for finance organisations but also their ICT supply chains. It is designed to implement a clearly defined, high level of digital resiliency. It’s likely that existing frameworks will cover many of DORA’s requirements. However, the regulation introduces specified, elevated standards in several key areas. This means that most organisations will have certain gaps to address.

When DORA takes effect, non-compliance will leave organisations vulnerable to fines, legal action, and reputational damage. If suppliers are not fully compliant, they may no longer be trusted to provide services for the financial sector.

Five Pillars

DORA operates across five key pillars.

ICT Risk Management

• Implementing robust frameworks aligned to systems and data
  
  
• Implementing risk mitigation tactics
  
  
• Continuous monitoring

ICT Incident Reporting

• Clear process for reporting incidents to regulators
  
  
• Definition of an incident
  
  
• Reporting in a timely manner

Digital Resilience Testing

• Stress testing, tabletop exercises, penetration testing, etc.
  
  
• Threat-led penetration testing for larger organisations

ICT Third-Party Management

• Identifying, understanding and managing risks posed by suppliers
  
  
• Assessing and monitoring the security performance of suppliers

Information Sharing

• Exchange of cyber threat intelligence
  
  
• Sharing information about vulnerabilities
  
  
• Identifying and reporting emerging threats

Asset Management

Risk management also involves asset management. In cybersecurity, it’s often said that you can’t protect what you don’t know. A clear inventory of assets is essential to cover cyber defence. With many people now working remotely and many workloads in the cloud, it can be challenging to continually discover assets and keep up to date. However, maintaining an accurate and up-to-date list is essential.

Vulnerability management also requires good asset management. Continuous monitoring is an essential part of identifying and managing risks.

Managing the Supply Chain

Due to the nature of their business and the sensitivity of their data, most financial institutions have strong security systems. However, third-party vendors, who may not maintain the same levels of security, can leave them vulnerable. It is therefore essential to implement clear management of third-party vendors and to monitor their performance and risk management constantly. Knowing what’s happening at every point of the supply chain enables effective risk management.

Inside Risks

Financial institutions must also consider inside risks. People within an organisation can accidentally leave it exposed if they do not observe security protocols. Separation of duties may also mean that people are not clear on what others are doing or how they need to collaborate to maintain security.

There is also the danger of hostile insiders. Individuals with a grievance against the company can create security breaches by downloading or sharing databases, disrupting access to sensitive data, etc. It’s important to consider these possibilities and protect against them.

Penetration Testing

Penetration testing can help to identify vulnerabilities. It can be particularly useful for larger organisations with multiple “attack surfaces”- potential targets of attack including digital, physical and human targets, both within and outside an organisation. All surfaces must be protected to ensure cybersecurity and DORA compliance.

Threat-led penetration can involve large exercises engaging multiple teams. They are resource-intensive processes that require collaboration. Threat-led penetration-testing should be conducted at least every three years, and the overall process should take at least twelve weeks. This gives a sense of the scale of the process.

External Review

There are many benefits to having external experts test your security infrastructure and processes. Threat-led penetration testing from external partners can reveal potential risks that may go unidentified within an organisation. These partners operate like hackers to test defences. Bank of England have designed a system called CBEST which is considered “best in class” in current penetration-testing.

“Tabletop” exercises involving input and discussion from all stakeholders can also help to reveal potential security issues and hidden processes. Using these exercises to bring teams together and discuss a continuous testing methodology that accounts for all potential vulnerabilities can be extremely productive.

These processes and systems can prove expensive and so should be factored into budgeting processes. The expense of comprehensive cybersecurity protocols is always justified- particularly in the finance industry, where the stakes for organisations are exceptionally high.

DORA Audits

Organisations in the finance industry in the EU can be audited to test DORA compliance, which is not optional. Compliance will make individual organisations and the industry overall much more resilient and consistent in terms of cybersecurity.

Incident Protocols

Defining protocols around security incidents is a key part of DORA compliance. Everyone across an organisation and its supply chain must have a shared understanding of how to define an incident, how to respond, and how to report it.

Information Sharing

Information sharing across organisations supports cybersecurity. This is important within organisations and should be done consistently. Tabletop exercises are a great way to ensure that everyone is on the same page.

Information sharing between organisations can also provide crucial insights. Organisations that have experienced incidents or attacks can share information with industry colleagues to help protect against similar incidents.

With new cyber threats emerging all the time, keeping in close contact with other organisations can work as an alert system across the industry. This collaboration makes the industry across the EU more secure. This is the kind of consistent, comprehensive, and collaborative industry-wide approach that DORA supports.

First Steps for DORA

• Understand DORA requirements
  
  
• Assess whether your organisation is within DORA’s scope
  
  
• Measure current security systems against DORA’s 5 Pillars

Anticipated Benefits of DORA

• Improved, unified cybersecurity measures across the EU financial industry
  
  
• Improved client experience
  
  
• Streamlined customer experience and improved customer service levels with less disruption
  
  
• Reduced financial loss
  
  
• Lower direct costs associated with critical incidents such as client compensation or regulatory fines
  
  
• Lower risk management costs
  
  
• Fewer high-risk events and a more streamlined risk management process result in lower costs
  
  
• Increased brand value
  
  
• Strengthened brand reputation
  
  
• Seamless implementation of new systems with an integrated risk strategy
  
  
• Lower regulatory risk
  
  
• Reduced risk of regulatory non-compliance with international or regional legislation

DORA FAQ

How does DORA relate to ISO27001?

If your organisation is already ISO27001-accredited, you must still ensure that you are aligned with DORA requirements and will have to reference DORA for legal compliance. You may also need to update your incident response procedures to be fully compliant. It is worth carrying out a review to identify any necessary updates.

AI & DORA

DORA is also relevant in the context of AI’s increasing prominence. DORA breaks down the risk areas for AI. Regulation is necessary to support AI as it becomes more prevalent, particularly in organisations dealing with sensitive data and functions. AI overlaps significantly with some of the platforms being used. For potential attackers, it makes it easier to create phishing emails, scrape websites for contacts, or even use deepfakes.

It's important to assess AI use in terms of potential risk and impact on business resilience. The DORA compliance process supports this.

How Does NIS2 Relate to DORA?

Financial institutions in the EU must also comply with NIS2, the EU’s Network & Information Security directive. DORA falls under NIS2 and the controls listed for both measures will be aligned. Organisations that fall under DORA will most likely need to be NIS2-compliant as well. They will need to comply with specific regulations within DORA and general security requirements within NIS2.

For more information on DORA and how your organisation can ensure compliance, contact hello@auxilion.com to schedule a meeting with one of our experts.