WHAT IS DORA?
DORA, not the girl’s name, is a draft legislation created by the European Union. Its purpose is to improve the cybersecurity and operational resiliency of the financial services in Europe, including those in the UK. By design, DORA – the Digital Operational Resilience Act – will complement existing cybersecurity compliance laws and regulations such as the GDPR and the Network and Information Security Directive (NISD). The legislation applies to most financial entities including credit and electronic money institutions, investment firms and insurers. Third-party IT service providers will also fall under its wing.
THE $2 TRILLION SWINDLE
In 2004, Chris Swecker, the Assistant Director of the FBI in Washington DC, convened a press conference to highlight the problem of mortgage fraud in the United States, an issue that he believed could become epidemic. Nobody in the financial sector listened to him, and neither did the regulators. A year later, Swecker held another news conference and was joined by representatives from the US Department of Housing and the Internal Revenue Service (IRS). Swecker’s message was clear – the scale of the threat was of such a magnitude that, if left unaddressed, could have severe and long-lasting economic ramifications. The FBI agent’s predictions weren’t far off the mark. In 2007-2008, the global financial crisis struck, a result of predatory financial products targeting low-income home buyers. Following a loss from the global economy in excess of $2 trillion, in 2020 the EU devised DORA as a means of preventing anything like the events of 2008 from happening again.
PRIMARY DORA REQUIREMENTS
In essence, DORA is a framework of rules that financial institutions and their suppliers need to adhere to for optimal operational resilience. While the legislative framework for DORA is still a work in progress, some key objectives and requirements have already been defined which include:
- risk management and governance to manage risk management programs and enhance operational resilience
- resilience testing to use risk assessment to identify threats before they become a problem
- intelligence sharing to increase awareness of current cyber threats
- supply chain management to manage supplier risks
- incident reporting to expedite breach reporting and mitigate the impact of a data breach
- retrospective analysis to examine incidents outside a specific organisation and prevent multiple companies from becoming victims of the same types of cyberattacks
Published in response to the European Commission’s Digital Finance Strategy of September 2020, as a digital finance package DORA broadly aims to improve standards within the financial sector. According to Ian Duncan, MD of FTI Consulting:
“Specifically, the EU hopes the new laws will help financial services firms better withstand, respond to and recover from the threats to information communication technology (ICT). Given the business imperatives of maintaining ICT, DORA is intended to add stability and confidence within the financial system.
It is also said that DORA will make the financial industry, and many companies within the sector, bigger, better, faster and stronger. Far-reaching benefits and implications of the legislation include:
- significantly improved risk assessments
- faster decision-making
- strengthening IT estate management
- providing a pathway for growth and investment
THE IMPACT ON ICT PROVIDERS
DORA will directly impact any IT or ICT providers to financial institutions such as those vendors offering
- cloud and software – AWS, Google and Microsoft
- penetration testing – Astra, Detectify and Invicti
- data storage – Microsoft, Google and Apple
- payment solutions – PayPal, Stripe and Apple Pay
These third-party providers will need to ensure that all their policies and processes are aligned with the DORA’s goals. Moreover, the policies and processes, for which they are liable, must be auditable and providers will need to cooperate fully with the financial institutions they serve to guarantee compliance.
LET’S DO DORA
“Cybersecurity and resilience should be integral elements of business implementation.”
Again we read some words of truth from Ian Duncan. As someone with IT and data protection in my blood, I understand the synergy between cybersecurity and operational resilience. I have 20 plus years of experience in professional business IT support, specialising in cyber-protection and risk mitigation. Call me today and let’s get ready for DORA together.