Profits and Losses: How DORA Strengthens Financial Services Firms in the EU Before It’s Too Late

The Digital Operational Resilience Act (DORA) came into effect on January 17, across the EU. This new regulation aims to fortify the cyber security defences of financial services firms and their suppliers against digital threats. Understanding DORA is crucial for businesses as it unifies cyber security regulations, reducing vulnerabilities and ensuring compliance. In this blog, we'll explore what DORA entails, its key components, and its implications for both EU and UK-based financial institutions. 

Understanding DORA

DORA is designed to strengthen the cyber security defences of the EU’s financial sector through rigorous risk management standards. The regulation addresses cyber risk management and unifies existing regulations across EU member states, which helps multinational institutions avoid regulatory confusion and gaps. 

Key Areas of DORA Implementation 

1. Security Risk Management and Governance: DORA mandates that management teams are responsible and accountable for their organisation’s cyber security. Senior leadership must stay informed about cyber risks, define strategies, and ensure execution. Accountability extends to board and executive members.  
2. Incidence Response and Reporting: The regulation defines cyber incidents and standardises reporting protocols across the EU. Organisations must have systems for monitoring, managing, and reporting incidents to the appropriate national authorities. 
3. Digital Operational Resilience Testing: Financial institutions are required to regularly test their security protocols. This includes annual vulnerability assessments and, for critical institutions, penetration testing at least every three years. 
4. Third-Party Risk Management: DORA emphasises managing third-party cyber risks. Financial institutions must work with secure various third-party providers and avoid over-reliance on a few critical service providers. 

Impact of Noncompliance

Noncompliance with DORA can result in substantial fines — up to 2% of annual global turnover for companies and up to €1,000,000 for individuals. In scope third-party providers can face fines up to €5,000,000 and €500,000, respectively. 

Lessons for the UK 

UK-based financial services organisations must stay informed about DORA, especially if they interact with EU entities and subjects. The UK is expected to bring the Cyber Security and Resilience Bill, to Parliament, which will be compatible with DORA and other new EU regulations (expected sometime in 2025). 

Third-Party Risk Management and BlueVoyant's Role in DORA Compliance 

The management of relevant third parties and their associated cyber risks is a critical component of DORA. Specifically, regarding the regulation, financial institutions are required to do the following: 

1. Identification and Criticality Assessment: Organisations must identify all third-party digital service provides and evaluate their criticality, which includes assessing potential impact on operational resilience. 
2. Contractual Obligation and Due Diligence: Organisations should assess pertinent providers’ ability to manage ICT risks as well as establish robust contractual provisions that manage and mitigate those risks effectively. 
3. Ongoing Monitoring: Implement continuous monitoring and assessment of germane third-party cyber security practices throughout the duration of their relationship, including tracking changes in risk profiles. 
4. Vendor Oversight and Response: Ensure applicable third-party providers adhere to high cyber security standards to prevent vulnerabilities and report ICT-related incidents in a timely manner. 
5. Contingency Planning and Dependency Analysis: Maintain a balanced reliance on multiple service providers to prevent over-dependence on a few critical vendors, as well as having contingency plans to address potential incidents. 

BlueVoyant's Supply Chain Defence (SCD) solution is designed to help address these requirements and deliver holistic and measurable risk reduction. SCD provides financial institutions with the tools necessary for effective compliance, including: 

1. Accurate Digital Mappings and Vendor Prioritisation: SCD’s risk monitoring is based on accurate, analyst-validated digital mappings of an organization’s supply chain, ensuring illumination of all third-party connections. Contextualised risk scores then help prioritise the criticality of third parties for effective monitoring. 
2. Contractual Insights and Automated Assessments: SCD’s questionnaire management platform documents all risk assessments and vendor agreements, automating the distribution and evaluation of due diligence questionnaires to ensure that vendor security postures are accurately tracked.  
3. Analyst-Empowered Continuous Monitoring: BlueVoyant’s Risk Operations Center (ROC) provides continuous monitoring for the full spectrum of supply chain vendors, augmented by advanced analytics, including rapid notification and response for newly disclosed zero-day vulnerabilities. 
4. Directed Remediation and Response: SCD engages directly with third-party vendors through the ROC to ensure they adhere to high cybersecurity standards. ROC analysts work directly with third parties to drive rapid response all the way through to remediation of identified issues. 
5. Vendor Dependency Analysis and Scenario-Based Planning: SCD allows organizations to analyze their fourth party connections, including third parties’ dependencies on specific hardware, software and application providers. This additionally empowers contingency and scenario-based planning to identify the extent of impact if a given service were to be disabled or affected. 

Steps to Prepare for DORA

To prepare for DORA, organisations should: 

• Stay up to date on DORA developments and guidelines 
• Assess current resilience capabilities and identify areas for improvement 
• Consider internationally recognised security frameworks such as ISO27001, NIST 2, or CIS18 to develop cyber security posture and align with requirements in DORA 

Conclusion

DORA represents a significant shift in how financial services firms must approach cyber security, emphasising the importance of comprehensive risk management and third-party oversight. By proactively aligning with DORA’s requirements, organisations can not only ensure compliance but also enhance their operational resilience against cyber threats.  

If you need guidance on meeting DORA compliance standards or support in implementing them, contact us.  

Source: https://www.digit.fyi/comment-third-party-risk-and-resilience-in-dora-cybersecurity/