Financial Services Cyber Compliance Is About To Get Harder

For many financial businesses, the industry of compliance is becoming more and more complex. You just finish looking at one regulation to ensure you are compliant, then along comes the next.  
 
With the huge increase in cyber security threats that all companies are facing, and the tightening of cyber insurance criteria, DORA (the EU’s Digital Operational Resilience Act) is one set of regulations financial companies need to be on top of now, even though they don’t come into force until January 2025.
 
 
DORA steps up cyber security and operational processes to guard critical financial systems from all interruptions. Its purpose is to strengthen the operational resilience of the financial sector and ensure continuity of critical services so that incidents like the 2018 TSB fiasco can’t be repeated. TSB paid out £48 million to the PRA and the FCA plus £33 million to compensate over five million customers when an IT migration left customers locked out of their accounts. 
 
DORA revolves around the five pillars of: 

  • Risk management.  
  • Incident reporting.  
  • Digital operational resilience testing.  
  • 3rd party risk management.  
  • Sharing information about cyber security threats.  

The EU sees the regulations as necessary to protect financial institutions that are increasingly digitising their services and working with critical third parties like cloud services and data analytics providers. Without a proper framework for operational resilience, they believe one single IT incident could potentially destabilise the EU’s entire financial system. DORA is designed to prevent this and it applies to all companies in the financial services sector, from banking to investment and crowdfunding. 
 
So, its good news for consumers but businesses have just under two years to prepare.  
 
And UK companies can’t avoid it – for DORA’s reach extends to basically any enterprise offering information and communications technology (ICT) services that is considered critical to the supply chain supporting the European financial sector — regardless of whether that enterprise or service is based inside the EU. In fact, under DORA, the complexity of your supply chain or the lack of actual EU presence are considered further risk factors. It’s also likely a UK-equivalent to DORA will become law here. 
 
So, what should you be doing to start preparing for DORA? Here are some simple steps to take right now: 

Scope The Project  

First, it’s important to appoint a DORA project team who will be responsible for looking at the detail of the regulations and establishing how far reaching they are for your organisation. They should then start to define the scoop of the project for your organisation within the context of the risks you are likely to come across as a business. And I would recommend you have a team of people from across different parts of your business including, legal, IT and procurements with a project leader who reports into the board.  

Mitigate Risks Existing Software & Infrastructure 
 
From an IT perspective it will be important for your IT department to establish what risks your organisation currently has that puts them at risk of not meeting the DORA regulations. For example, within your existing software and infrastructure how vulnerable are you to cyber-attack? What legacy apps are you using and are they safe? Is your existing network vulnerable to attack? How good is your data storage? Do you have immutable backup and tried and tested recovery systems in place? Once a risk assessment has been undertaken, a roadmap for any changes with timescales needs to be agreed and regular penetration testing and patching undertaken.  

Adopt Monitoring & Threat Detection Tools 

Critical to being compliant to DORA regulations will be to ensure you have the right layers of technology in place to mitigate day-to-day operational risks. This may mean adopting new monitoring technology that can assess your risks in real-time and take immediate action should a problem occur. By putting in the right controls now you will save yourself time in the long run. Having complete visibility in real time of what is happening across your IT estate will be essential. And don’t forget to assess your risk in terms of how you use third parties – they will also need to be able to demonstrate complete visibility across all your suppliers and supply chain to ensure you are fully compliant.  
 
Ideally, your IT or managed services provider will ensure you have no legacy systems that rely on less up-to-date technology and could compromise your operational resilience. They should also offer cybersecurity expertise, data storage and processing capabilities across a range of availability zones and geographic regions to ensure you are meeting all the requirements. Having the right technology in place will enhance the ability of your organisation to withstand and quickly recover from disruption   

Implement Best Practice End User Training  

Employees – albeit unwittingly – are still the most frequent point of failure for security in organisations. By providing high-quality, regular user training and implementing layers of technology to mitigate day-to-day operational risks from phishing attacks or ransomware is critical. Without the right type of training and internal fostering of a culture of zero trust, all your hard work can just slip away because of human error. And just as cyber threats change daily so training should be ongoing and engaging to ensure the best protection.   

Gain Visibility Of Third-Party Suppliers 

 You will need to have visibility of third-party supplier risks and ask them to demonstrate the appropriate steps they are putting in place to protect your infrastructure and address risks and threats in a timely manner. While ICT services offered by third parties, such as Cloud Service Providers (CSPs), can be more resilient than individual firms’ and financial institutions own ICT infrastructure this is not a given. You will need to check and confirm they can comply to DORA.  
 
Also, it’s good to be aware now that DORA may require a multi-cloud strategy to avoid dependence on one provider. This adds resiliency because one network can failover to the other. 

Start Your Gap Analysis 

We recommend you start assessing through gap analysis how much more your organisation needs to do to comply in three key areas: 

  • Internal threat-led penetration testing (TLPT) where capable 
  •  External TLPT three times per year where applicable 
  • Closer management of third-party risks i.e. cloud services providers. 

 As part of the FCA’s, the Bank of England’s and the PRA’s operational resilience policies that came into force in March 2022, you should have already identified important business services and set impact tolerances and commenced a programme of scenario testing. The PRA has conducted an initial assessment of firms’ implementation of the policy and provided feedback of the results. This year the PRA is working closely with the FCA to assess firms’ progress, with a focus on their ability to deliver important business services within impact tolerances through severe but plausible scenarios within a reasonable time frame and by no later than March 2025.  
 There is no silver bullet to achieve DORA compliance. It needs to be a corporate imperative, led from the top down. With the CEO supporting the CISO to ensure the wider business adheres to the rules by adopting the necessary training, updating processes, and implementation of the right technology. 
 
It’s likely that the regulatory authorities will be able to demand evidence of business resilience of all financial institutions and their third-party suppliers. They may even require organisations to undertake resilience testing and participation in sector-wide exercises and commission skilled person reviews of critical third parties – so starting your DORA preparations now will ensure you are one step ahead.  

Simon Paterson is CISO at CSI Ltd 

You Might Aso Read:

Cyber Security & The  Financial Services Industry:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

 


Cyber Security Intelligence: Captured Organised & Accessible


 

 

« Twitter Hacker Goes To Jail
Nagoya Re-Opens After Ransom Attack »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

CDW

CDW

CDW is a leading multi-brand provider of information technology solutions to business, government, education and healthcare customers in the United States, the United Kingdom and Canada.

French Expert Center Against Cybercrime (CECyF)

French Expert Center Against Cybercrime (CECyF)

CECyF is a centre of excellence for countering cybercrime in France.

SecurePay

SecurePay

SecurePay is Australia's premier payment gateway, with a range of secure online payment solutions for online retailers, SMEs and enterprise businesses.

BitSight Technologies

BitSight Technologies

BitSight transforms how companies manage information security risk with objective, verifiable and actionable Security Ratings.

Datec PNG

Datec PNG

Datec is the the largest end-to-end information and communications technology solutions and services provider in Papua New Guinea.

Extreme Protocol Solutions (EPS)

Extreme Protocol Solutions (EPS)

Extreme Protocol Solutions is an industry leading Data Sanitization Software, Hardware and Onsite Service Provider.

Asia Data Destruction (ADD)

Asia Data Destruction (ADD)

ADD is the leading IT Assets Disposal and Data Destruction Company in Thailand.

JobStreet.com

JobStreet.com

JobStreet is one of Asia’s leading online employment marketplaces in Malaysia, Philippines, Singapore, Indonesia and Vietnam.

Vizius Group

Vizius Group

The Vizius Group are a think tank of cybersecurity consultants who understand the mechanics and business value of risk reduction.

443ID

443ID

443ID brings OSINT data to Identity Security professionals on any digital platform.

Green Enterprise Solutions

Green Enterprise Solutions

Green Enterprise Solutions are a Namibian company providing Information and Communication Technology (ICT) services to corporate Namibia.

Gorilla Technology Group

Gorilla Technology Group

Gorilla specializes in video analytics, OT network security and big data to support a wide range of solutions for commercial, industrial, cities and government purposes.

Whitaker Brothers

Whitaker Brothers

Whitaker Brothers data destruction equipment can be found in 115 countries and every single continent in the world, from major military organizations to small offices.

Exodata

Exodata

Exodata is a French digital services company specializing in the outsourcing of IT Systems and solutions.

Digital Encode

Digital Encode

Digital Encode is a leading consulting and integration firm that specializes in the design, management, and security of business-critical networks, telecommunications, and IT infrastructures.

Badge

Badge

Badge authenticates you on-demand for every application, on any device, without storing any secrets.