Financial Services Cyber Compliance Is About To Get Harder

Uploaded on 2023-07-06 in FREE TO VIEW, BUSINESS-Services-Law

For many financial businesses, the industry of compliance is becoming more and more complex. You just finish looking at one regulation to ensure you are compliant, then along comes the next.  
 
With the huge increase in cyber security threats that all companies are facing, and the tightening of cyber insurance criteria, DORA (the EU’s Digital Operational Resilience Act) is one set of regulations financial companies need to be on top of now, even though they don’t come into force until January 2025. 
 
DORA steps up cyber security and operational processes to guard critical financial systems from all interruptions. Its purpose is to strengthen the operational resilience of the financial sector and ensure continuity of critical services so that incidents like the 2018 TSB fiasco can’t be repeated. TSB paid out £48 million to the PRA and the FCA plus £33 million to compensate over five million customers when an IT migration left customers locked out of their accounts. 
 
DORA revolves around the five pillars of: 

  • Risk management.  
  • Incident reporting.  
  • Digital operational resilience testing.  
  • 3rd party risk management.  
  • Sharing information about cyber security threats.  

The EU sees the regulations as necessary to protect financial institutions that are increasingly digitising their services and working with critical third parties like cloud services and data analytics providers. Without a proper framework for operational resilience, they believe one single IT incident could potentially destabilise the EU’s entire financial system. DORA is designed to prevent this and it applies to all companies in the financial services sector, from banking to investment and crowdfunding. 
 
So, its good news for consumers but businesses have just under two years to prepare.  
 
And UK companies can’t avoid it – for DORA’s reach extends to basically any enterprise offering information and communications technology (ICT) services that is considered critical to the supply chain supporting the European financial sector — regardless of whether that enterprise or service is based inside the EU. In fact, under DORA, the complexity of your supply chain or the lack of actual EU presence are considered further risk factors. It’s also likely a UK-equivalent to DORA will become law here. 
 
So, what should you be doing to start preparing for DORA? Here are some simple steps to take right now: 

Scope The Project  

First, it’s important to appoint a DORA project team who will be responsible for looking at the detail of the regulations and establishing how far reaching they are for your organisation. They should then start to define the scoop of the project for your organisation within the context of the risks you are likely to come across as a business. And I would recommend you have a team of people from across different parts of your business including, legal, IT and procurements with a project leader who reports into the board.  

Mitigate Risks Existing Software & Infrastructure 
 
From an IT perspective it will be important for your IT department to establish what risks your organisation currently has that puts them at risk of not meeting the DORA regulations. For example, within your existing software and infrastructure how vulnerable are you to cyber-attack? What legacy apps are you using and are they safe? Is your existing network vulnerable to attack? How good is your data storage? Do you have immutable backup and tried and tested recovery systems in place? Once a risk assessment has been undertaken, a roadmap for any changes with timescales needs to be agreed and regular penetration testing and patching undertaken.  

Adopt Monitoring & Threat Detection Tools 

Critical to being compliant to DORA regulations will be to ensure you have the right layers of technology in place to mitigate day-to-day operational risks. This may mean adopting new monitoring technology that can assess your risks in real-time and take immediate action should a problem occur. By putting in the right controls now you will save yourself time in the long run. Having complete visibility in real time of what is happening across your IT estate will be essential. And don’t forget to assess your risk in terms of how you use third parties – they will also need to be able to demonstrate complete visibility across all your suppliers and supply chain to ensure you are fully compliant.  
 
Ideally, your IT or managed services provider will ensure you have no legacy systems that rely on less up-to-date technology and could compromise your operational resilience. They should also offer cybersecurity expertise, data storage and processing capabilities across a range of availability zones and geographic regions to ensure you are meeting all the requirements. Having the right technology in place will enhance the ability of your organisation to withstand and quickly recover from disruption   

Implement Best Practice End User Training  

Employees – albeit unwittingly – are still the most frequent point of failure for security in organisations. By providing high-quality, regular user training and implementing layers of technology to mitigate day-to-day operational risks from phishing attacks or ransomware is critical. Without the right type of training and internal fostering of a culture of zero trust, all your hard work can just slip away because of human error. And just as cyber threats change daily so training should be ongoing and engaging to ensure the best protection.   

Gain Visibility Of Third-Party Suppliers 

 You will need to have visibility of third-party supplier risks and ask them to demonstrate the appropriate steps they are putting in place to protect your infrastructure and address risks and threats in a timely manner. While ICT services offered by third parties, such as Cloud Service Providers (CSPs), can be more resilient than individual firms’ and financial institutions own ICT infrastructure this is not a given. You will need to check and confirm they can comply to DORA.  
 
Also, it’s good to be aware now that DORA may require a multi-cloud strategy to avoid dependence on one provider. This adds resiliency because one network can failover to the other. 

Start Your Gap Analysis 

We recommend you start assessing through gap analysis how much more your organisation needs to do to comply in three key areas: 

  • Internal threat-led penetration testing (TLPT) where capable 
  •  External TLPT three times per year where applicable 
  • Closer management of third-party risks i.e. cloud services providers. 

 As part of the FCA’s, the Bank of England’s and the PRA’s operational resilience policies that came into force in March 2022, you should have already identified important business services and set impact tolerances and commenced a programme of scenario testing. The PRA has conducted an initial assessment of firms’ implementation of the policy and provided feedback of the results. This year the PRA is working closely with the FCA to assess firms’ progress, with a focus on their ability to deliver important business services within impact tolerances through severe but plausible scenarios within a reasonable time frame and by no later than March 2025.  
 There is no silver bullet to achieve DORA compliance. It needs to be a corporate imperative, led from the top down. With the CEO supporting the CISO to ensure the wider business adheres to the rules by adopting the necessary training, updating processes, and implementation of the right technology. 
 
It’s likely that the regulatory authorities will be able to demand evidence of business resilience of all financial institutions and their third-party suppliers. They may even require organisations to undertake resilience testing and participation in sector-wide exercises and commission skilled person reviews of critical third parties – so starting your DORA preparations now will ensure you are one step ahead.  

Simon Paterson is CISO at CSI Ltd 

You Might Aso Read:

Cyber Security & The  Financial Services Industry:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

 

Cyber Security Intelligence: Captured Organised & Accessible

 

 

« Twitter Hacker Goes To Jail
Nagoya Re-Opens After Ransom Attack »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Social-Engineer

Social-Engineer

Social-Engineer is a team of outside–the–box thinkers that share a common focus on human-to-human social engineering.

Biscom

Biscom

Biscom offers solutions for secure file transfer, synchronization, file translation, and mobile devices, designed to deliver mission-critical reliability, streamline workflows and reduce costs.

SureCloud

SureCloud

SureCloud is a Governance, Risk and Compliance (GRC) and Cybersecurity Solutions provider.

MD5

MD5

MD5 is a leading UK provider of Digital Forensic & eDiscovery services to large multi-national corporate businesses, Law Enforcement & Government Agencies, high profile legal firms.

Science Applications International Corporation (SAIC)

Science Applications International Corporation (SAIC)

SAIC is a premier technology integrator in the technical, engineering, intelligence, and enterprise information technology markets. Services and solutions include Cybersecurity.

InPhySec

InPhySec

InPhySec is a leading New Zealand information, physical and cyber security company.

ACM-CCAS

ACM-CCAS

ACM is a UKAS-accredited certification body helping businesses around the world perform to a higher standard. Our certifications include ISO 27001 and ISO 22301.

Vietnamese Security Network (VSEC)

Vietnamese Security Network (VSEC)

Vietnamese Security Network (VSEC) is an information security company providing website vulnerability scanning and monitoring services.

WhiteHawk

WhiteHawk

WhiteHawk is the first online Cyber Security Exchange. We help you understand your cyber risk and match you to tailored and affordable solutions.

Cardonet

Cardonet

Cardonet is an IT Support and IT Services business offering end-to-end IT services, 24x7 IT Support to IT Consultancy, Managed IT and Cyber Security.

AutoSec

AutoSec

AutoSec supports the FFI program Electronics, Software and Communication by dissemination and exploitation of the results of projects related to automotive cybersecurity.

Trace3

Trace3

Trace3 is a pioneer in business transformation solutions, empowering organizations to keep pace with the rapid changes in IT innovations and maximize organizational health.

Akto

Akto

Akto, the plug & play API security platform. Discover your APIs, run tests and find business logic vulnerabilities at ludicrous speed.

WPScan

WPScan

With WPScan, you'll be the first to know about vulnerabilities affecting your WordPress installation, plugins, and themes.

Manifest

Manifest

Manifest is a cybersecurity company dedicated to helping enterprises secure their software supply chains.

P3M Works

P3M Works

P3M Works delivers Cyber Security and Digital Transformation projects across both private and public sector clients.