The tension is palpable in the impending Digital Operational Resilience Act (DORA). An important new chapter in cybersecurity is being ushered in by this EU legislation. It will require financial institutions and specific third-party ICT vendors to have robust safety measures.
The three main objectives of DORA are to strengthen the resilience of critical IT infrastructure, combat the scale and speed of cyberattacks, and provide a cohesive regulatory framework. ICT risk management, incident reporting, digital operational resilience testing, third-party risk management, and information and intelligence sharing are the five main pillars of DORA that will influence how financial services organisations handle ICT and cyber risks. Financial institutions and third-party vendors who operate in the European Union will be required to comply.
However, many organisations—as well as their security teams—will have difficulties in preparing and adhering to regulations. A penalty of up to 10 million euros, or 5% of annual turnover, will be imposed for noncompliance with these regulations. It is imperative that businesses take action today, whether it is by hiring security professionals to detect, monitor, and address risks; testing incident response strategies to satisfy reporting requirements; or obtaining insight into the ecosystems of their third and fourth parties.
DORA is a cross-functional strategy involving collaboration from more than simply IT, even if it won't completely take effect until January 17, 2025. The CISO's teams—legal, compliance, risk management, and others—must work together to achieve their objective. Fast and effective DORA compliance is ensured by this partnership. Organisations need to get ready for the DORA journey over the course of the next 16 months. Existing procedures and policies need to be improved. And that objective is very clear: to increase cyber resilience and streamline cybersecurity. The following actions would be advantageous for security practitioners to take in light of this.
Steps to take
As part of their overall risk management strategy, organisations must establish and implement a comprehensive ICT risk management framework. Having a platform in place to assist with the development, implementation, and monitoring of this framework will meet regulatory requirements, whereas cybersecurity ratings will give a quantifiable, data-driven assessment of your organisation's cybersecurity posture.
DORA requires financial institutions to timely report ICT-related issues to authorities. The number of users affected, the amount of data lost, the geographical distribution, the economic impact, and other factors should be disclosed. This plan should also include a clear description of how personnel will respond in the event of a cyberattack, as well as how operations would be restored in the event of a breach.
Continuous monitoring of your cybersecurity posture will keep your organisation informed of any dangers, allowing it to resolve any concerns that occur as soon as possible. This includes regularly monitoring and reviewing your third-party vendors' security posture to discover any changes or vulnerabilities that may affect your organisation's overall risk profile.
DORA will require that third-party risk be managed as an integral component of total ICT risk in order to ensure that providers will support your company in the case of a cybersecurity incident and comply with stricter security standards. As a result, organisations must periodically review and manage these partnerships in order to gain rapid visibility and keep an eye on red flags and essential supply chain providers.