The Digital Operational Resilience Act (DORA) is an upcoming set of EU regulations that will govern how financial service institutions (FSIs) and the organizations that provide services to better understand and manage cyber risk.
Almost the entire European trading FSI sector, including banks, insurers, and crypto brokers, will be covered by DORA to some degree. They will need to consider resilience as a core security and business goal.
What is the purpose of the Digital Operational Resilience Act?
DORA has five core pillars:
- Risk Management: FSIs need to put in place an information security risk management framework such as NIST.
- Incident Management and Reporting: FSIs must have prescribed incident management and reporting processes in place and be able to classify incidents according to the Digital Operational Resilience Act criteria.
- Resilience Testing, Vulnerability Scans, and Disaster Recovery Testing: FSIs must have a program for testing their security resilience through processes like vulnerability testing and threat-led penetration testing.
- Information and Threat Intelligence Sharing: FSIs will need to exchange compromise and threat information with other FSIs “within trusted communities of financial entities.”
- Third-Party Risk Management and Monitoring: Firms will need to have a strategy in place to assess third-party supplier risk.
The core purpose of DORA is to:(a) make the European financial sector focus on resilience, (b) harmonize risk management and (c) streamline threat reporting across different financial service institutions within the EU.
However, the Digital Operational Resilience Act also aims to reduce regulatory complexity. It does this by bringing together a range of other cyber regulatory initiatives, such as the guidelines on outsourcing arrangements and ICT and security risk management recently provided by the European Banking Authority (EBA).
The Digital Operational Resilience Act is due to be ratified during the next sitting of the European Parliament in November 2022. It will begin implementation 24 months later, in late 2024.
Once in force, DORA will apply at some level to almost every financial institution that operates in the EU or provides critical services to these FSIs.
Understanding the Digital Operational Resilience Act
DORA’s central theme is resilience.
“Anyone working in the financial sector knows they are in the center of every cybercriminal’s bullseye. They should also know how important resiliency is for reducing risk. With resilience at its core, DORA puts a legal requirement on this point. Like other EU regulations, it is likely to have sharp teeth, so it’s essential that FSIs start preparing now if they haven’t already.”
-Dan MacDonnell, former Fortune 500 financial institution Chief Resiliency Officer.
Once in effect, the Digital Operational Resilience Act will be a prescriptive set of requirements that compel covered FSIs to take a risk-based approach to building resilience to cyberattacks.
The Digital Operational Resilience Act will cover 20 types of regulated EU financial entities. These include: banks and other financial services providers, including payment, credit, and electronic money institutions, crypto-asset service providers, investment firms, and others.
Resilience in cybersecurity means being able to withstand attacks and maintain service provisions. Achieving resilience is a constant process of hardening and testing IT systems, something FSIs will have different levels of familiarity with.
You may also be interested in: 4 Steps to Building a Successful Cyber Resiliency Strategy
Since COVID-19, FSIs have been modernizing fast, but rapid digitization has also increased breach risk. Organizations ranging from the IMF to J.P. Morgan now describe cyber attacks as a fundamental threat to financial stability.
Crucially, DORA does not just cover FSIs but also “critical ICT third-party service providers.” This can include cloud service providers who service FSIs.
With the Digital Operational Resilience Act, the EU wants to force FSIs to approach cybersecurity risk in the same way they look at financial stability requirements—as fundamental to their business continuity.
DORA is prescriptive. It compels covered FSIs to conduct specific security processes and meet particular standards and makes FSIs vet their suppliers and test their own ability to respond, mitigate, and remediate cyber-attacks.
Preparing for DORA
Key to preparing for DORA is having a security program that has resilience as a core goal. Because the Digital Operational Resilience Act indicates a heavy-handed regulatory approach from the EU, covered FSIs must start compliance efforts now.
Under its five pillars, the Digital Operational Resilience Act will present covered institutions with a laundry list of prescriptive requirements. To meet them and avoid penalties, organizations must have a security posture that drives continuous improvement through testing.
For mature financial institutions already working towards a risk-led security posture, DORA compliance should be an extension of their existing efforts to improve resilience. Many of the Digital Operational Resilience Act requirements should build on controls already defined within other standards like NIST.
For less mature organizations, this will not be the case. DORA demands that covered FSIs take a broad resilience-based approach to their security posture and understand at a relatively granular level how cyber assets support their operations. This means knowing what assets are connected to their networks.
Another critical part of Dora’s ICT risk management framework is that organizations must identify vital and essential functions and map the ICT assets that underpin them. Organizations will need to assess the risks to these applications. Many will struggle with this task.
As part of the Operational Resilience testing pillar, the Digital Operational Resilience Act also stipulates that entities must conduct network security assessments and vulnerability management. The act brings in new requirements for testing tools and systems for all covered organizations, such as vulnerability assessments and scans on at least a yearly basis.
For some (financial entities identified as significant), there will also be a need to conduct advanced threat-led penetration testing at least every three years. These kinds of exercises are a significant undertaking, and organizations will need to prepare for these requirements as soon as possible.
Acing DORA with Randori
To comply with DORA, FSIs will need to gain a new level of visibility into their digital ecosystem and understand their attack surface. Randori can help FSI’s comply with the Digital Operational Resilience Act in two key ways:
1. Risk management
Randori’s platform can help organizations identify security gaps and quantity and reduce risk. It discovers unknown, and known assets plugged into a network and provides actionable, prioritized insight to help security teams understand their risks and prioritize vulnerabilities.
2. Resilience testing
Randori’s continuous automated red teaming (CART) technology allows security teams to test their attack surface continuously. With Randori, security teams can assess the effectiveness of security controls against the kind of threats they face in the wild.
To find out how Randori’s ASM platform can help you with DORA compliance, contact us today.