Christopher Gill is Governance, Risk Management, Compliance and Audit Specialist at ISMS.online
On average, UK businesses take 15.5 months to comply with a single regulation. So, companies need to get ready for the DORA financial regulations now if they’re going to be prepared when they take effect in January 2025.
Related Articles
But what is DORA?
Its full title is the Digital Operational Resilience Act (Regulation (EU) 2022/2554). It consolidates and extends existing cybersecurity and operational resiliency rules for financial services firms in the European Union and will take effect next year.
The main objective of DORA is to ensure that all European financial system companies have adequate protection against cyber-attacks and other data-related risk factors.
Part of this will mean organisations must prove their resilience against ICT threats. DORA sets out explicit rules for ICT risk management, incident reporting, operational resilience testing and third-party risk monitoring.
The regulation acknowledges that cyber-attacks and similar incidents can impact the entire financial system in a significant way. So, the message for companies? Your ICT needs to be prepared. In fact, this legislation demands it.
Am I affected?
This new legislation will mainly impact financial institutions and their ICT technology suppliers (such as cloud platforms and data analytics providers).
Currently, financial institutions manage their businesses’ main operational risk categories by capital allocation. But that will change even if they have a “sufficient” level of capital for traditional risk assessments.
After DORA, financial institutions will be responsible for all operational risks from their ICT. And they’ll need to up their resilience if they want to stick to DORA’s new rules around protecting, detecting and containing ICT-related threats.
As a result, cyber-attacks – such as the recent event at Capita, should be avoided. In March 2023, Capita experienced a security breach that compromised its pension fund, with members being informed that their data had been stolen. The attack on the outsourcer’s administration services affected multiple private-sector pension funds.
What do financial institutions need to do?
Investing in training and infrastructure today is the best way to ensure consistent, future-proof growth tomorrow:
- Invest
As the deadline for DORA compliance draws closer, businesses must increase infosec spending to ensure they meet it on time. They’ll need to invest in the right technology, processes, and people to ensure they’ve got everything they need to deliver a fast, effective counter to any inbound cyber threat and stay regulatorily compliant.
- Training from top to bottom
Businesses can only make good technological choices (or anything else) if people in their organisation are well-informed. That means senior members of the organisation must demonstrate sound leadership – they need to be ahead of the game and share what they know throughout the company if they want to build a robust security culture. After all, if there’s a crisis, employees are the first – and often most vital – line of defence. So, they need to understand DORA, too, and the role they have to play in safeguarding data and critical assets.
- Act fast
All financial businesses in the EU have until 17 January 2025 to be DORA-compliant – less than 18 months away. It sounds like a long time. It’s not. ISMS.online’s recent “State of Information Security” report revealed that the average company takes 15.5 months to fully align its operations with any given regulation. And that’s from the mouths of 500 UK infosec managers, directors and C-level executives. So, time is of the essence.
What if I don’t comply?
Businesses that don’t invest and get ready for DORA will leave themselves vulnerable to increased cyber-attacks and more complex, wide-ranging breaches to their cybersecurity. And those attacks will happen when more people than ever are relying on data and cloud services. Failure for one business to act is a failure for all because industrial-scale cybercrime and nefarious actors will thrive. It’s clear that could have potentially deadly costs to finances and reputation.
Moreover, compliance with DORA is obligatory. Failing to adhere to the regulation’s requirements carries severe penalties for financial institutions and third parties alike. Financial institutions that contravene the regulation could be slapped with administrative or criminal penalties, depending on the severity of the breach. They will also be compelled to issue public notices indicating the entity and nature of the violation.
Conversely, ICT third parties could face the prospect of periodic penalty payments for non-compliance, administered daily by the Lead Overseer. These penalties could amount to 1% of the ICT organisation’s global turnover for the preceding fiscal year.
Top of Form
The hidden opportunity
This is good for financial institutions, too. Strong cyber-security, far from being a burden, is a competitive asset for any organisation. Customers in today’s digital, fast-paced business environment expect no less than sound information security, data privacy, and cybersecurity. It’s vital for customer happiness, which means the success and longevity of a business.
It’s a virtuous circle.
Putting information security at the heart of a business is complex. But it is smart. And the most forward-thinking business leaders are acting right now.
The post DORA is coming: What do financial institutions need to prepare for the Digital Operational Resilience Act? appeared first on Finance Derivative.
