DORA Fast Track Compliance

DORA (Digital Operational Resilience Act) is imminent and aims to ensure that all entities in the financial system have the appropriate safeguards in place to mitigate cyber attacks. This legislation will require firms to ensure that they can withstand all types of ICT (Information Communications Technology) related disruptions and threats. This is essentially the European Union’s attempt to streamline the third-party risk management process across financial institutions.

This new regulation that will require banks and firms in the global financial industry to ensure their third-party risk management programs includes cybersecurity requirements in particular with the critical ICT service providers they are working with.

All financial service firms and ICT vendors despite size or complexity will be included within DORA’s guidelines. There are measures for “proportionality” and therefore an increased burden on more complex and larger providers.

DORA has bite! DORA provides administrative penalties on third party providers for non-compliance of 1% of average daily worldwide turnover. Member states can also choose to impose harsher sanctions under national law.

DORA will require all organisations to implement cyber risk management strategies and third-party risk management programs.

DORA has five key pillars:

• ICT Risk Management
• ICT Incident Reporting
• Digital Operational Resilience Testing
• Information and Intelligence Sharing
• ICT Third Party Risk Management

DORA also aligns with the UK’s Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) requirements in relation to cyber resilience. For UK entities, this effectively requires them to also adhere to the guidelines provided by the European Supervisory Authorities (ESAs) such as; European Banking Authority (EBA), the European Insurance and Occupational Pension Authority (EIOPA), and the European Securities and Markets Authority (ESMA).

Cyber Resilience in the Financial Sector

Last year we saw regulators issuing substantial 7 figure fines in relation to poor cyber resilience.

“Cyber resilience can be defined as the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that are use or are enabled by cyber resources” Central Bank of Ireland

The ECB (European Central Bank) outlined their expectations in “Cyber Resilience Oversight Expectations for Financial Market Infrastructures” in Dec 2018

The financial sector is interconnected and interdependent. The threat landscape is compounded by geopolitical tensions, holistic global supply chain challenges and with the impact of covid including; increased teleworking and acceleration of digitalisation.

These factors are driving the focus of legislation and regulators on to the core subject of cyber resilience.

European cyber initiatives in the finance sector are grouped according to topics defined in the Cyber Security Act June 2019. These initiatives are aligned with the forthcoming CER (Critical Entities Resilience) Directive and expanded NIS 2 (Network Information Systems) Directive that once adopted require transposing into law within 18 months.

“the ability of an organisation to continue to carry out its mission by anticipating and adapting to cyber threats and other relevant changes in the environment and by withstanding, containing and rapidly recovering from cyber incidents.” Financial Stability Board

So what should you be doing?

“Most supervisors leverage previously developed national or international standards – principally the NIST framework” Basel Committee on Banking Supervision

CRI Ransomware Risk Management

The NIST Cyber Security Framework is one of the most effective ways to protect your organisation from becoming victim to a Ransomware attack. NIST have also recently released a preliminary draft “Cybersecurity Framework Profile for Ransomware Risk Management”.

CyberPrism Enterprise from CRI (Cyber Risk International) is an award winning cyber risk assessment and risk management tool Join Paul C Dwyer CEO of CRI as he outlines how you can leverage the NIST guidance to “Be Prepared NOT Scared”.

CyberPrism has met the challenge in relation to Ransomware and now features a threat analysis dashboard that can analyse your cyber risk framework and measure your ability to prevent, detect, respond and recover from a Ransomware attack.

Cyber Resilience in the Financial Sector

Christine Lagarde, the President of the European Central Bank (ECB), has warned that a cyberattack on a major financial institution could trigger a liquidity crisis.

On Feb 5th 2020, Lagarde said that any significant operational outages that encrypted or destroyed account balances could trigger a liquidity crisis.

“History shows that liquidity crises can quickly become systemic crises”

“The ECB is well aware that it has a duty to be prepared and to act pre-emptively.”

During her speech, Lagarde went on to reference the ESRB (European Systemic Risk Board) report that contains estimates of global cyber attacks that could be in the region of €500 billion. The ECB itself and of course the global financial sector is no stranger to cyber attacks and will continue to be a massive target for cyber threat actors. The impact of Covid-19 on society and the sector has shifted the inherent cyber risk of most institutions and provided opportunities for OCG’s (Organised Crime Groups). Therefore the sector itself must raise their game and work together to build defences and a stronger ecosystem. Cyber resilience is key for the financial sector and the ECB has articulated their minimum expectations. The leaders of the financial sector need to gain understanding of the key issues and challenges so they can develop appropriate strategies.

Your Weapon of Choice - A Cyber Assessment