Third-party risk and resilience in DORA

Secure vault

In February 2016, it was reported that threat actors exploited vulnerabilities in the SWIFT banking network to steal more than $80 million from the central bank of Bangladesh. SWIFT, the global financial system’s main electronic payment system, which processes billions of dollars of transactions every day, was unprepared for the threat of a major cyber attack. The incident served as a pivotal wake-up call for the entire financial services industry, highlighting the previously underestimated systemic risks posed by unsecured systems. It reinforced the need for stronger security controls, safeguards and a more proactive approach to cybersecurity across the sector.

Today, organizations understand that it’s a matter of when -- not if -- their organization or supply chain is targeted with a cyber attack. Threats continue to increase in sophistication and frequency, particularly when it comes to ransomware.

The goal of ransomware attacks is to steal or deny valuable data with the aim to extort organizations to pay to get it back, or stop them from releasing it. The amount of ransom is proportionate to how valuable the data is, and with any industry that handles personal identifiable information (PII), the potential impacts and penalties are very high. It’s why the finance sector is one of the highest profile targets, with individual and business’ account information highly sought after.

In part, because of this, the European Union announced the Digital Operational Resilience Act (DORA), to help the European financial sector pre-emptively weather-the-storm of severe cyber disruption.

What is DORA?
The main objective of DORA, which goes into effect on 17th January 2025, is to address cyber risk management in the financial services sector, and unify the disparate network of regulations that already exist in member states across the EU. This often creates confusion for multinational financial institutions, leading to regulatory gaps, overlaps, and conflicts that increase their vulnerability.

Navigating this complex web of rules is critical to safeguarding their operations and ensuring compliance. DORA covers four main areas:

●       Security Risk Management and Governance

●       Incident Response and reporting

●       Digital operational resilience testing

●       Third-party risk management

The first area, security risk management and governance, is designed to make an organization’s management team responsible for the security of its systems. The senior leadership team of the organization is expected to have up-to-date knowledge of the cyber risk landscape, define necessary risk management strategies, and assist in executing them. Board and executive level members are accountable and can also be held responsible for a failure to comply with DORA.

Second, DORA defines what classes as a cyber incident, and whom an organization should report to in the event of a breach. This is to ensure that financial institutions accurately and quickly report the details of an incident to the correct authorities, and unify this process across EU member states. DORA also enforces that organizations put in place systems for monitoring, managing, logging, classifying and reporting cyber incidents.

Third, DORA aims to ensure that financial institutions regularly test their security protocols, and make sure any vulnerabilities are discovered and patched before they can be taken advantage of. This includes carrying out basic tests once a year, such as vulnerability assessments. Organizations that are deemed to play a critical role in the financial ecosystem are also expected to carry out penetration testing once every three years.

Finally, financial institutions under DORA are expected to take an active role in managing their third-party cyber risk posture. Threat actors often exploit weaker links within a supply chain, targeting less secure organizations as an entry point. From there, they move laterally, infiltrating larger, more valuable companies, and putting the entire ecosystem at risk. This tactic underscores the importance of fortifying every part of the supply chain.

Financial institutions require third parties to provide vital services, which extends the attack surface considerably. DORA mandates that financial firms only work with third parties that can secure their systems, while also preventing over-reliance on a small group of providers for critical functions.

Steps to take before DORA becomes law
While the specifics of DORA are still being finalized, businesses can take certain steps to prepare for potential compliance requirements.

Companies must stay informed of any developments related to DORA and any guidelines or requirements that may be issued. Understanding the implications of the legislation and the steps needed to achieve compliance is the best way to ensure compliance.

Another key activity that can be done before January 2025 is to thoroughly assess current resilience capabilities and identify any areas that may need improvement to align with the expected requirements of DORA. Identifying gaps early on and establishing activities to address and mitigate risks will go a long way in preparing for DORA.

There are also other frameworks like ISO27001, NIST 2, and CIS18 that can be valuable for organisations looking to enhance their cybersecurity posture and align with the likely requirements in DORA. These frameworks provide a structured approach to information security management, risk assessment, and compliance, helping organizations establish robust security controls and practices.

UK businesses aren’t exempt from DORA, either. Although not an EU member state, companies within the UK need to be abreast of how it affects them, particularly if they are engaged with EU entities and customers. The upcoming UK Cyber Security and Resilience Bill, due for release in 2025, will set out the legislative conditions for UK based companies to comply with.

Using DORA to help strengthen resilience
It is important for organizations not to view DORA as simply a tick-box exercise – it will have wide-ranging operational and security implications for how businesses operate. Instead, it should be seen as an opportunity and revenue-driver, enabling businesses to offer increasingly secure and resilient solutions.  

This will not only ensure that organizations will avoid being fined for non-compliance, but will also protect critical systems against breaches -- and give them an edge over less resilient competitors.

Image credit: alphaspirit / depositphotos

Leigh Glasper is Director, Cyber Advisory at BlueVoyant

© 1998-2024 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.