Financial Services Cyber Compliance Is About To Get Harder

Uploaded on 2023-07-06 in FREE TO VIEW, BUSINESS-Services-Law

For many financial businesses, the industry of compliance is becoming more and more complex. You just finish looking at one regulation to ensure you are compliant, then along comes the next.  
 
With the huge increase in cyber security threats that all companies are facing, and the tightening of cyber insurance criteria, DORA (the EU’s Digital Operational Resilience Act) is one set of regulations financial companies need to be on top of now, even though they don’t come into force until January 2025. 
 
DORA steps up cyber security and operational processes to guard critical financial systems from all interruptions. Its purpose is to strengthen the operational resilience of the financial sector and ensure continuity of critical services so that incidents like the 2018 TSB fiasco can’t be repeated. TSB paid out £48 million to the PRA and the FCA plus £33 million to compensate over five million customers when an IT migration left customers locked out of their accounts. 
 
DORA revolves around the five pillars of: 

  • Risk management.  
  • Incident reporting.  
  • Digital operational resilience testing.  
  • 3rd party risk management.  
  • Sharing information about cyber security threats.  

The EU sees the regulations as necessary to protect financial institutions that are increasingly digitising their services and working with critical third parties like cloud services and data analytics providers. Without a proper framework for operational resilience, they believe one single IT incident could potentially destabilise the EU’s entire financial system. DORA is designed to prevent this and it applies to all companies in the financial services sector, from banking to investment and crowdfunding. 
 
So, its good news for consumers but businesses have just under two years to prepare.  
 
And UK companies can’t avoid it – for DORA’s reach extends to basically any enterprise offering information and communications technology (ICT) services that is considered critical to the supply chain supporting the European financial sector — regardless of whether that enterprise or service is based inside the EU. In fact, under DORA, the complexity of your supply chain or the lack of actual EU presence are considered further risk factors. It’s also likely a UK-equivalent to DORA will become law here. 
 
So, what should you be doing to start preparing for DORA? Here are some simple steps to take right now: 

Scope The Project  

First, it’s important to appoint a DORA project team who will be responsible for looking at the detail of the regulations and establishing how far reaching they are for your organisation. They should then start to define the scoop of the project for your organisation within the context of the risks you are likely to come across as a business. And I would recommend you have a team of people from across different parts of your business including, legal, IT and procurements with a project leader who reports into the board.  

Mitigate Risks Existing Software & Infrastructure 
 
From an IT perspective it will be important for your IT department to establish what risks your organisation currently has that puts them at risk of not meeting the DORA regulations. For example, within your existing software and infrastructure how vulnerable are you to cyber-attack? What legacy apps are you using and are they safe? Is your existing network vulnerable to attack? How good is your data storage? Do you have immutable backup and tried and tested recovery systems in place? Once a risk assessment has been undertaken, a roadmap for any changes with timescales needs to be agreed and regular penetration testing and patching undertaken.  

Adopt Monitoring & Threat Detection Tools 

Critical to being compliant to DORA regulations will be to ensure you have the right layers of technology in place to mitigate day-to-day operational risks. This may mean adopting new monitoring technology that can assess your risks in real-time and take immediate action should a problem occur. By putting in the right controls now you will save yourself time in the long run. Having complete visibility in real time of what is happening across your IT estate will be essential. And don’t forget to assess your risk in terms of how you use third parties – they will also need to be able to demonstrate complete visibility across all your suppliers and supply chain to ensure you are fully compliant.  
 
Ideally, your IT or managed services provider will ensure you have no legacy systems that rely on less up-to-date technology and could compromise your operational resilience. They should also offer cybersecurity expertise, data storage and processing capabilities across a range of availability zones and geographic regions to ensure you are meeting all the requirements. Having the right technology in place will enhance the ability of your organisation to withstand and quickly recover from disruption   

Implement Best Practice End User Training  

Employees – albeit unwittingly – are still the most frequent point of failure for security in organisations. By providing high-quality, regular user training and implementing layers of technology to mitigate day-to-day operational risks from phishing attacks or ransomware is critical. Without the right type of training and internal fostering of a culture of zero trust, all your hard work can just slip away because of human error. And just as cyber threats change daily so training should be ongoing and engaging to ensure the best protection.   

Gain Visibility Of Third-Party Suppliers 

 You will need to have visibility of third-party supplier risks and ask them to demonstrate the appropriate steps they are putting in place to protect your infrastructure and address risks and threats in a timely manner. While ICT services offered by third parties, such as Cloud Service Providers (CSPs), can be more resilient than individual firms’ and financial institutions own ICT infrastructure this is not a given. You will need to check and confirm they can comply to DORA.  
 
Also, it’s good to be aware now that DORA may require a multi-cloud strategy to avoid dependence on one provider. This adds resiliency because one network can failover to the other. 

Start Your Gap Analysis 

We recommend you start assessing through gap analysis how much more your organisation needs to do to comply in three key areas: 

  • Internal threat-led penetration testing (TLPT) where capable 
  •  External TLPT three times per year where applicable 
  • Closer management of third-party risks i.e. cloud services providers. 

 As part of the FCA’s, the Bank of England’s and the PRA’s operational resilience policies that came into force in March 2022, you should have already identified important business services and set impact tolerances and commenced a programme of scenario testing. The PRA has conducted an initial assessment of firms’ implementation of the policy and provided feedback of the results. This year the PRA is working closely with the FCA to assess firms’ progress, with a focus on their ability to deliver important business services within impact tolerances through severe but plausible scenarios within a reasonable time frame and by no later than March 2025.  
 There is no silver bullet to achieve DORA compliance. It needs to be a corporate imperative, led from the top down. With the CEO supporting the CISO to ensure the wider business adheres to the rules by adopting the necessary training, updating processes, and implementation of the right technology. 
 
It’s likely that the regulatory authorities will be able to demand evidence of business resilience of all financial institutions and their third-party suppliers. They may even require organisations to undertake resilience testing and participation in sector-wide exercises and commission skilled person reviews of critical third parties – so starting your DORA preparations now will ensure you are one step ahead.  

Simon Paterson is CISO at CSI Ltd 

You Might Aso Read:

Cyber Security & The  Financial Services Industry:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

 

Cyber Security Intelligence: Captured Organised & Accessible

 

 

« Twitter Hacker Goes To Jail
Nagoya Re-Opens After Ransom Attack »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Infosecurity Europe, 3-5 June 2025, ExCel London

Infosecurity Europe, 3-5 June 2025, ExCel London

This year, Infosecurity Europe marks 30 years of bringing the global cybersecurity community together to further our joint mission of Building a Safer Cyber World.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

DLA Piper

DLA Piper

DLA Piper is a global law firm with offices throughout the Americas, Asia Pacific, Europe and the Middle East. Practice areas include Cybersecurity.

Atlantic Council

Atlantic Council

The Atlantic Council's Cyber Statecraft Initiative focuses on international cooperation, competition, and conflict in cyberspace.

Korea Internet & Security Agency (KISA)

Korea Internet & Security Agency (KISA)

KISA is committed to improving the competitiveness, reliability and security of Internet information and knowledge in Korea.

Telia Cygate

Telia Cygate

Cygate are specialists in information security, data networks, and data centre and cloud technologies.

Norwegian Information Security laboratory (NISlab)

Norwegian Information Security laboratory (NISlab)

NISlab conducts international competitive research in information and cyber security and operates study programs in this area.

InnoSec

InnoSec

InnoSec is a software manufacturer of cyber risk management technology.

SwiftSafe

SwiftSafe

SwiftSafe is a cybersecurity consulting company providing auditing, pentesting, compliance and managed security services.

RiskRecon

RiskRecon

RiskRecon makes it easy to gain deep, risk contextualized insight into the cybersecurity risk performance of all of your third parties.

Southwest Research Institute (SwRI)

Southwest Research Institute (SwRI)

Southwest Research Institute SwRI are R&D problem solvers providing independent services to government and industry clients. Areas of expertise include Cybersecurity, Intelligent Networks and IoT.

CyberClan

CyberClan

CyberClan’s carefully selected team of experts is capable of solving complex cyber security challenges – keeping your data secure and your businesses running as usual.

British Security Industry Association - CySPAG

British Security Industry Association - CySPAG

CySPAG is a special interest group within the British Security Industry Association (BSIA) focused on reducing the risk of product related cybercrime.

Hunton Andrews Kurth

Hunton Andrews Kurth

Hunton Andrews Kurth LLP serves clients across a broad range of complex transactional, litigation and regulatory matters. Practice areas include Privacy and Cybersecurity.

Xopero Software

Xopero Software

Xopero Software develops a comprehensive range of professional tools for protecting and restoring critical business data.

WithSecure

WithSecure

WithSecure (formerly F-Secure Business) is your reliable cyber security partner, providing outcome-based cyber security that protects and enables operations.

Arista Middle East

Arista Middle East

Arista Middle East is part of Global Arista Technologies specializing in OT Cybersecurity.

Siguria Kibernetike (Cyber Security)

Siguria Kibernetike (Cyber Security)

Siguria Kibernetike is a company based in Tirana that offers full service in the field of cyber and physical security.