By David Turmaine, Head of International at Broadridge Consulting Services, and Maria Siano, Head of International Strategy at Broadridge.
Today’s digital world is increasingly complex, characterised by interconnected systems and data that is stored, and widely shared, online. Looking through a financial services lens, cyber threats and incidents are becoming more sophisticated, posing significant risks to financial stability and security.
The number of attack vectors has multiplied in line with the growing reliance on technology and associated spike in remote and decentralised working since the pandemic. A recent survey by the BCI, the global body for resilience professionals, revealed three-quarters of respondents had seen a rise in attempted breaches over the last year, with nearly 40% the victim of a successful cyber-attack.
The system modernisation and digitalisation journey that firms around the world are now undertaking, often to align with market developments such as the shortening of the settlement cycle to T+1, is filled with risks – which has led to a heightened regulatory focus on cybersecurity and operational resilience.
Against this backdrop, the EU’s Digital Operational Resilience Act (DORA) has come into force and in-scope firms – such as banks, investment firms, and designated fintechs – must be compliant from January 17, 2025.
DORA seeks to establish a clearer foundation for security and operational resilience in the financial services sector, while also aligning with other EU measures on cybersecurity and data. It is the most comprehensive resilience regulation currently yet seen in this space, but the thinking is reflected by other jurisdictions around the world, with regulators increasingly demanding that financial institutions bolster their operational resilience.
Japan, for example, has introduced the Economic Security Promotion Act (ESPA), whilst the Australian Prudential Regulation Authority (APRA) has published a new Prudential Standard (CPS 230 Operational Risk Management) that will direct how regulated entities manage operational risks, resilience, and business continuity. In July 2023, the US Securities and Exchange Commission (SEC) adopted rules requiring registrants to disclose material cybersecurity incidents.
What are the main components of DORA?
DORA is the most in-depth regulation to date aimed at strengthening cybersecurity amongst financial institutions.
It is seen as a means of compelling more firms to work internally, and with their third-party information and communications technology (ICT) service providers, to improve their threat assessments, cyber incident management, and overall resilience. It is also a positive step towards a more harmonised EU framework that will enhance the digital operational resilience of financial services across the region whilst preventing widespread contagion that could undermine the financial stability of the bloc.
DORA is structured around five pillars, which cover governance, resiliency, incident management, and reporting. A common thread is the protection of data as it passes through both a financial institution and then the ecosystem around it, such as vendors.
The first pillar is ICT risk management, which mandates firms to implement robust risk management practices for their systems to prevent cyber-attacks and disruptions. They must also develop and maintain effective recovery and continuity plans to ensure the uninterrupted provision of critical financial services in the event of a cyber incident.
The second pillar is incident management, with DORA requiring entities to establish and maintain robust mechanisms for identifying, classifying, and recording incidents. Additionally, financial institutions will be required to report significant incidents to regulators within a tight timeframe to ensure timely responses and coordination.
The third pillar is digital operational resilience testing, and here we see some of the newer demands that firms must now quickly familiarise themselves with. Firms must conduct regular resilience testing to verify the effectiveness of their digital resilience strategies, and this includes advanced threat-led penetration testing at least every three years to address higher levels of risk exposure. Test results will need to be sent to the regulator for validation and approval.
The fourth pillar relates to third party risk management and oversight. Recognising that the digital operations of many organisations are closely intertwined with third party providers, DORA puts an emphasis on managing the risks associated with these external partners. Firms will be expected to conduct enhanced due diligence on their providers and include provisions in their contracts to ensure they also comply with strict digital resilience standards.
The final pillar outlines the importance of sharing information and intelligence about cyber threats and vulnerabilities amongst organisations. By creating a more collaborative environment, the hope is firms can tap into a wealth of knowledge and experiences, building their capacity to predict and address challenges. This collective understanding can foster the creation of effective policies and proactive strategies, ultimately improving the digital resilience of individual organisations and the financial industry as a whole.
The key steps to building operational resilience
DORA will place further pressure on firms to implement better cybersecurity measures and bolster their operational resilience in the coming years, but it is already front of mind for many in the financial services industry.
Broadridge’s 2024 Digital Transformation & Next-Gen Technology Study highlighted that in the next two years, financial firms will boost their investments in cybersecurity by nearly a third (28%). Furthermore, cybersecurity is the top capability that executives expect from their technology vendors, outpacing their ability to deliver projects on time and on budget.
As we look towards the DORA compliance date next January, what steps should firms be taking to build up their operational resilience?
It is crucial to assess existing business practices and processes, and identify the gaps, when it comes to meeting the DORA requirements. This will enable firms to create a robust roadmap for compliance whilst implementing stronger ICT risk management practices.
The first thing for firms to do is to ensure they fully digest and understand the regulation, and how it impacts their business model. They can then correlate that against what is already in place for their operational resiliency. Firms then need to identify their risk factors and map them against DORA, as well as their existing enterprise risk framework.
These steps will allow firms to effectively carry out their remediation planning. Resiliency in the past has typically been quite inward looking, with a focus on ensuring their own house is in order. DORA shifts the dial and will mandate them to now extend this externally across third party vendors and strategic partners, analysing the critical paths for the critical functions, whether that is trade data, settlement data, or any other element.
Firms will need a complete line of sight so they can take an informed risk decision on each of their current resiliency stances and provisions in order to make sure they are compliant with DORA.
For larger firms, their size will make it more difficult to locate the risks. They will often have hundreds of internal applications and platforms they will need to dissect to understand the interdependencies and find the critical paths that hold the data. They will also need to ascertain the risks across their vendor community.
For smaller firms, the challenge will be finding the right people to guide this, who can do it alongside their day job. They may struggle to get this project shaped and delivered on time. And they should not underestimate the resources needed to do a thorough analysis and then implement the changes DORA requires. They will also need to effectively ensure ongoing regulatory compliance, which can be costly.
Continuous improvement is an objective of DORA. Some elements of the regulation are prescriptive in terms of duration and frequency – such as annual testing of all critical ICT systems, and the advanced threat-led penetration testing every three years. But it will also be important for firms to make sure they refer back to the regulation and remain compliant whenever they change their IT footprint by acquiring new technology, which potentially introduces new vulnerabilities.
Unlocking new benefits
Whilst the journey towards DORA compliance is complex, it is also one that can unlock significant benefits for ambitious financial services firms.
This includes improved cyber defences; DORA will help financial institutions to enhance their cybersecurity measures and protect their critical systems and data from increasingly sophisticated cyber threats.
By improving long-term operational resilience, DORA can also help to reduce the financial impact of cyber incidents and other disruptions, ultimately saving organisations from costly recovery efforts.
Financial firms can instil greater confidence amongst their customers and stakeholders by demonstrating their ongoing commitment to safeguarding digital assets and services. And, perhaps most importantly, given the increased interconnectivity of firms, DORA can drive greater resiliency across financial markets as a whole. It can help to safeguard the stability of the whole, as well as its parts.
Subscribe to our newsletter
