Ensuring compliance with the Digital Operational Resilience Act
As the financial sector becomes increasingly reliant on digital technologies, ensuring operational resilience is essential
With just two months to go until Dora comes into effect, financial institutions must implement robust security protocols
The Digital Operational Resilience Act (Dora), which comes into full effect on January 17, 2025, represents a legislative effort to enhance the operational resilience of financial institutions within the EU.
As the financial sector becomes increasingly reliant on digital technologies, ensuring robust operational resilience is essential. Dora establishes a comprehensive framework that mandates financial entities to develop and maintain strong operational resilience capabilities, including risk management processes for information and communication technologies (ICT).
Dora emphasises the need for effective IT security measures and data governance, providing guidelines for how financial institutions should view digital threats and maintain the integrity and availability of data. Financial institutions, with just two months until Dora comes into effect, must implement robust security protocols, conduct regular security testing and develop incident response plans to minimise the impact of cyber threats. Such organisations should consult with trusted partners to create a comprehensive cyber risk profile and ensure readiness in time.
Vendor risk assessments
Organisations may encounter several challenges when implementing and managing compliance with Dora.
One significant hurdle is the complexity of the regulatory requirements, which necessitates a comprehensive understanding of both internal systems and third-party relationships. Organisations must understand their risk profile to identify areas where attacks will have the greatest impact and cause the most loss. Real-time, continuous understanding and information about a company’s risk, rather than an annual, moment-in-time assessment, is crucial to not only being Dora-compliant but also resilient to cyber attacks.
It is not just first-party risk firms need to be conscious of and Dora expects financial institutions to conduct thorough vendor risk assessments across their entire ICT supply chain, a process that can be resource-intensive and time-consuming. Incidents such as the MOVEit and Ivanti breaches demonstrate the importance of monitoring vendor risk and how even robust internal security measures can be undermined by weaknesses in third parties.
Companies that wish to be compliant with regulations and resilient to cyber attacks must understand the interconnectedness of financial institutions and their third-party service providers. Establishing clear contractual agreements and conducting thorough due diligence on third-party vendors are essential for ensuring compliance and enhancing overall resilience.
However, businesses must also be aware of how to turn their vendor risk assessments into actionable material. Quantitative risk assessments can help translate the potential risk of third-party vendors into financial terms, allowing for a clearer understanding of the potential financial impact of cyber threats. The Resilience Solution, for example, provides in-house cyber risk quantification modelling to deliver detailed risk analysis for clients, and provide them with a more comprehensive and nuanced view of their overall risk profile. This approach helps businesses address the complexity of regulations and ensure they understand their cyber risk.
Incident response planning
Another critical challenge is ensuring consistent adherence to security protocols and incident response plans across diverse, often dispersed teams across multiple locations. This necessitates the development of robust training programs and the cultivation of a security culture, which can take time to establish.
A key aspect of Dora is fostering a risk management approach and culture within financial institutions. Organisations must cultivate an environment where employees are aware of potential risks and are encouraged to contribute to resilience efforts. Continuous learning and training programmes are vital for promoting this culture.
Companies must develop and deliver internal cyber incident and data breach exercises and be prepared for potential assessments. To help identify these gaps, Resilience offers breach and attack simulations to clients, using artificial intelligence modelling to deliver critical insights, highlighting security strengths and compliance gaps. These simulations help companies not only stay compliant, but also resilient to cyber attacks.
Furthermore, effective incident response plans are crucial in managing and mitigating the impact of cyber attacks. By proactively monitoring threats and developing recovery strategies, businesses can quickly identify, contain and minimise operational disruptions and financial losses.
The path to compliance
As cyber threats continuously evolve, maintaining an agile approach to risk management while adhering to compliance deadlines can prove daunting. Integrating Dora compliance into existing frameworks and processes may strain limited resources, particularly for smaller institutions that may lack the necessary infrastructure and expertise to meet these demands effectively.
Financial institutions must also navigate the need for transparent communication with regulatory bodies, executive teams and board members to be able to demonstrate compliance without compromising sensitive operational details. This delicate balance underscores the importance of a strategic, co-ordinated approach to achieving Dora compliance.
Moreover, comprehensive insurance coverage is becoming increasingly popular for companies to address and mitigate risks. Integrated security and insurance solutions assist businesses in underwriting risk, providing quantitative risk assessments, developing cyber action plans, providing proactive, comprehensive cyber resilience strategies for financial institutions and supporting them to comply with regulations like Dora.
Adopting these strategies will enable businesses to gain a clearer understanding of their risk profiles, shaping planning decisions, minimising losses and managing risk factors more effectively, and better align with robust regulatory frameworks such as Dora to ensure they can continue to operate securely and efficiently.
Si West is director of customer engagement at Resilience