The Digital Operational Resilience Act (DORA) was enacted in January 2023 and will be in full force January 2025. Even if regulators provide a grace period (just like they did for GDPR) and January 2025 seems like a long way off, time passes quickly. It is, therefore, essential for financial institutions regulated under DORA to start planning their compliance journey.
Given the ever-increasing risks of cyber attacks, the EU is strengthening the IT security of financial entities such as banks, insurance companies and investment firms. Today the Council adopted the Digital Operational Resilience Act (DORA) which will make sure the financial sector in Europe is able to stay resilient through a severe operational disruption.
DORA at a Glance
The press release from the European Council provides a concise description of DORA’s purpose:
“DORA sets uniform requirements for the security of network and information systems of companies and organizations operating in the financial sector as well as critical third parties which provide ICT (Information Communication Technologies)-related services to them, such as cloud platforms or data analytics services. DORA creates a regulatory framework on digital operational resilience whereby all firms need to make sure they can withstand, respond to, and recover from all types of ICT-related disruptions and threats. These requirements are homogenous across all EU member states. The core aim is to prevent and mitigate cyber threats.”
Understanding the intersection between DORA, GDPR, and NIS2 is crucial.
Companies regulated under DORA still need to comply with GDPR requirements. It’s important for IT service providers to understand that DORA brings its own set of challenges, separate from GDPR. If a company violates European privacy laws, it can also be in violation of financial services supervisory laws, which can lead to further consequences. Additionally, certain credit institutions and trading venues must follow the NIS2 directive in addition to DORA, but DORA takes precedence in case of any conflicting regulations due to its more specific nature (lex specialis).
DORA requirements are broken down into five foundational pillars to meet the act’s core objectives. Before we get into those, we must point to a few things deriving from DORA’s mission statement. One of them is that the EU Council recognizes that financial institutions are the most highly targeted entities and that security incidents may include business interruption. As per the Bank of England’s “Systemic Risk Survey Results 2022 H2” report, 74% of the participants consider cyberattacks to be the most significant risk in the short and long term. The second-highest risks are inflation and geopolitical incidents, which are almost equally concerning.
One important aspect of a robust security strategy is the ability to quickly recover and return to normal operations, which is exactly what DORA aims to achieve. Additionally, it’s worth noting that supply chains in the financial industry have historically lacked the same level of accountability as the institutions themselves. However, with the implementation of DORA, third-party vendors will now be closely monitored and regulated by industry regulators.
Breaking Down the Five Pillars of DORA
ICT Risk Management
The first pillar includes frameworks and guidelines to help financial institutions increase the maturity of their risk management programs. These guidelines aim to minimize the risk of attacks by reducing the attack footprint, detecting active attacks, and developing strategies to mitigate the impact of successful attacks. Solutions that align with this category comprise vulnerability management, application security testing, data and asset discovery, and penetration testing. Additionally, safeguarding endpoints, preventing data leaks, and securing public-facing web applications should be considered within this pillar.
Classification and Reporting of ICT-related Incidents
In the second pillar, there is some overlap with the first one, as it involves identifying signs of compromise in your IT infrastructure and handling any malicious activity. However, it also includes additional guidelines such as a classification system based on the impact and templates for reporting content. This pillar emphasizes maintaining integrity and managing configurations, as well as keeping your incident response plan up-to-date and documented. Solutions that utilize threat intelligence are crucial to detect elusive malicious activities that may have bypassed your initial defenses.
ICT Third-Party Risk Management
The third pillar focuses on supply chain risk management. Although the supply chain risk is typically implied in other mandates, DORA specifically addresses this risk due to the visibility of high-profile supply chain attacks in the last couple of years. To mitigate supply chain threats, organizations must have an inventory of all contractual agreements with ICT service providers and a process to evaluate potential new business partners and existing ones. Some additional considerations include phishing simulations and other security awareness training to help prevent employees from being socially engineered by bad actors masquerading as business partners. Additionally, it is crucial to have controls to prevent malicious files from being shared between partners. Financial institutions must also plan for potential service interruptions caused by their partners.
Digital Operational Resilience Testing
This fourth pillar emphasizes testing the institution’s plan for dealing with incidents. The aim is to detect any potential shortcomings and identify areas where improvements in efficiency and system strengthening can be made. Tabletop exercises serve as one effective method of testing your incident response plans. In addition, exploring adversary simulations and red teaming would be advisable, which can highlight any weaknesses and enhance your teams’ skills.
Information Sharing Between Financial Entities
The fifth pillar advocates for collaboration within the financial sector to combat shared adversaries. By exchanging intelligence, indicators of compromise, and the latest tactics, techniques, and procedures (TTPs) with peers in the industry, everyone can increase their ability to withstand challenges.
Out of these pillars the fifth stands out a bit as it aligns to the theme of the 2023 RSA Conference, which is “Stronger Together”. There were multiple sessions where industry leaders were talking about how the security community needs to work together and share our insights to help improve our defenses against threat actors.
A few years ago, I worked with a former security leader of a global financial institution. He told me that although financial institutions compete with each other for new business, he collaborated regularly with his counterparts at these competitors because they all had the same goal, which was protecting their respective employers from the same types of attackers. Other industries would benefit from this same type of collaboration, so hopefully, we will see more of that in the years to come.