Certa’s Jag Lamba explores steps organizations need to take to comply with the EU’s upcoming DORA rules that seek to strengthen the backbone of the financial sector.
On Jan. 17, 2025, the European Union’s latest regulation to strengthen the backbone of the financial sector will come into full force. The EU’s Digital Operational Resilience Act (DORA) was passed in 2022 and we’ve seen the slow rollout of the rules and regulations that financial firms must follow. Organizations will be expected to implement specific policies, practices and internal controls that will help the financial sector as a whole stay operational even in the face of cyberattacks, natural disasters and other disruptions.
DORA emphasizes due diligence, contract management, incident response and continuity planning. As a result, complying with its rules will in some cases require organizations to reevaluate their vendor contracts, cybersecurity protocols and data management tools.
While DORA is aimed squarely at financial institutions — banks, credit card providers, insurance firms, broker-dealers, crowdfunding platforms, cryptocurrency services and the like — it isn’t solely those in the finance sector who need to pay attention. The act’s focus on digital resilience and cybersecurity, along with its stipulations on third-party management, means that a number of technology firms will find themselves going through the DORA process themselves if they sell to or work with the financial world. This can include cloud providers, IT outsourcing firms, cybersecurity companies, data center operators, managed service providers and more.
Companies don’t need to be headquartered in the European Union to be subject to DORA regulations, either. Any financial organization with customers in those countries or otherwise doing business related to the financial sector in the EU must comply.
Article 6, Section 8 of DORA requires that each company have a “sound, comprehensive and well-documented ICT [information and communication technology] risk management framework” that includes a “a digital operational resilience strategy.”
DORA-proof your organization
Define tolerance for ICT risk and overall risk appetite
Every venture involves risk — it’s unavoidable. What does change from business to business is the level of risk that an organization deems acceptable as part of doing business. That risk can change depending on many factors, most notably the category of risk. DORA requires businesses to define their acceptable parameters of risk for their operation — ICT and disruption risks in particular. Every other aspect of the company’s risk management framework needs to be in line with the defined risk appetite. In other words, if a risk goes beyond the comfortable range, there should be a defined plan in place for how it will be dealt with.
Set clear information security objectives
The next step is to identify and document the data security objectives that line up with both the risk appetite defined above and also the company’s broader business goals and needs. What type of information is most in need of safeguarding? What are the likely attack vectors that malicious actors would go after?
This step is about setting baselines for success when it comes to reducing digital and third-party risks. As such, the objectives should be meaningful to the day-to-day operations and measurable so it’s easy to determine if they’re met. And finally, companies should only set objectives that they’re willing to pursue; committing to more than a company can or will follow through is likely to waste resources or create a misalignment with security goals and expectations.
Globally, Regulators Are Making It Clear: FinServ Firms Must Become Resilient
The relentless upheaval of the past few years has uniquely affected the global financial services sector. And regulators are responding.
Read moreDetailsOutline mechanisms for incident detection, prevention and protection
With objectives in place, it’s time for organizations to outline the specific tools and processes that will be used to deal with attacks or disruptions. DORA also stipulates that the resilience strategy should explain the current ICT architecture in place at the business and any changes that must take place in order to utilize those tools or procedures that will help secure the digital environment.
Then, it’s time to put those plans into practice. Detection, prevention, protection and mitigation are the key categories here, and each should be sufficiently addressed. Powerful cybersecurity tools are an important piece of the puzzle, but it’s important not to overlook the role of third-party vendors and partners in this step. DORA is particularly concerned with third-party risk, so this is a crucial time to perform due diligence around vendors’ operational resilience, regulatory compliance and current security postures.
Many financial institutions and vendors supporting them are focusing on building out data maps to help meet DORA compliance by January. This is a function of TPRM systems that requires bringing in data from disparate systems where vendor data may reside — contract management, cybersecurity and customer service systems to name a few — and many legacy systems are being updated to enable this capability. A detailed map of the company and its vendor (and subcontractor) relationships will help illuminate where any crucial data may be and at the same time will make visible the dependencies that could threaten the financial organization if a disruption were to occur with a vendor.
Set and enforce expectations with strong contract management
DORA requires that all contracts with vendors have clearly defined roles and responsibilities, the types of mandatory resilience training required are laid out and stipulations on what subcontractors are permissible are in writing. Any contracts that don’t cover these items could put a company at risk of noncompliance. And there’s still one more contract detail that is perhaps the most important part of all: defined audit rights, which will be important when it comes to both regulatory reporting and incident recovery.
Develop a communications plan to be followed after any incidents
Defined audit rights make it possible for a company to gain insight into the key operational and security details of their vendors — something that has to be accounted for when reporting data to DORA regulators. Those regulators will be looking for such contract stipulations, and without them there’s no guarantee a vendor will provide needed information for an investigation after an attack or disruption. In fact, many would prefer to hide as much information as possible about that disruption to try to save face. Vendors found to be lacking in their ability to provide necessary data should be either brought up to speed or divested from quickly.
A clear communications plan that follows Article 14 of DORA must be in place. These plans must specify the “responsible disclosure” of major ICT-related incidents or vulnerabilities to parties that need to know, both internally and externally to the company. Article 14 also specifies that at least one individual needs to be in charge of implementing this communication strategy and serve as the public- and media-facing person for such matters.
Routinely test the resiliency program
Finally, the resiliency framework needs to be carefully tested. DORA’s Article 26 requires that companies perform a threat-led penetration test (TLPT) at least once every three years, and that test must cover the ICT systems that support vital business functions. It can’t just be a homemade TLPT test, either; Article 27 defines a valid test for DORA compliance as one that is run by an organization that is external to the one being tested, has demonstrated the required expertise and is approved by the relevant regulatory authority.
A new world for managing third-party risk
While the deadline for DORA compliance is coming up quickly — January 2025 — most of these aspects of an acceptable resilience strategy and risk management framework are not things that can be put together quickly.
It’s important for companies that operate in or support the financial sector to start building the foundation for compliance today. Further DORA rules, likely around testing technical standards and incident reporting timelines, are set to be published in July, but that, too, is not worth delaying for — any such rules will be in addition to those above, so businesses will still need this strong foundation to build upon.