Welcome to our monthly Cybersecurity Newsletter! We’re delighted to combine our regular review of high-profile breaches with expert insight from leading cybersecurity consultancy ThreeTwoFour, the latest of Node4’s strategic acquisitions. You can find ThreeTwoFour’s exploration of the Digital Operations Act (aka DORA) below. You can also read our Security Specialist Simon Clayton-Mitchell’s thoughts on why cybersecurity is vital at all levels of an organisation here.
THE THREETWO FOUR VIEW – EXPLORING DORA
It’s been ten months since the Digital Operational Resilience Act (DORA) came into effect. Many financial services organisations and suppliers are working towards complying with its requirements to meet the January 2025 deadline.
In this month’s newsletter, we’re focusing on answering key questions surrounding DORA (the Digital Operational Resilience Act), alongside highlighting the steps that organisations can take to build a roadmap towards compliance.
- WHAT IS DORA?
- WHAT’S DORA’S OBJECTIVE?
- WHO DOES IT APPLY TO?
- WHAT ARE ITS KEY REQUIREMENTS?
- WHERE DO I START WITH DORA COMPLIANCE?
- HOW CAN THREETWOFOUR HELP?
WHAT IS DORA?
DORA is an EU regulation designed to strengthen operational resilience for financial institutions, empowering them to withstand and recover from disruptions. While took effect on January 16, 2023, financial institutions operating in the EU must comply by January 1, 2025.
Under this regulation, all firms subject to its provisions must demonstrate their ability to effectively handle various ICT-related disruptions and proactively mitigate cyber threats throughout each stage of their lifecycle.
WHAT’S DORA’S OBJECTIVE?
DORA seeks to enhance the overall resilience and security of the financial industry. It does that by consolidating and elevating ICT risk requirements within the EU financial sector, helping to safeguard against cyberattacks. It aims to provide in-scope financial entities, including banks, insurance companies, and investment firms with uniform rules that effectively mitigate ICT-related operational risk.
WHO DOES IT APPLY TO?
While aimed at EU financial services, DORA’s impact extends beyond these institutions to encompass critical suppliers serving the financial sector. Any third-party ICT service providers in the financial industry assessed as “critical” by any of the European Supervisory Authorities (ESA) will be subject to a supervisory framework. Under it, the ESAs will be endowed with extensive authority, enabling them to request information, carry out investigations and inspections, issue recommendations and in cases of non-compliance, levy financial penalties on critical ICT third-party service providers.
WHAT ARE dora’s KEY REQUIREMENTS?
DORA has five key pillars of requirements to which financial institutions must adhere. The five pillars are:
- Risk Management and Governance
Financial institutions are required to utilise and maintain reliable systems, protocols, and tools. This is to ensure sufficient reliability, capacity, and resilience to handle ICT risks effectively. DORA mandates the implementation of a robust governance and control framework for ICT risk management. - Operational Resilience Testing
DORA mandates comprehensive digital operational resilience testing of ICT tools, systems, methodologies, practices, and processes to proactively identify and rectify issues before they pose a threat to operations. Organisations must establish and maintain a robust and inclusive testing programme, employing a risk-based approach and engaging independent testers. Testing can be conducted by independent parties to ensure objectivity. - Incident Response
Organisations must establish a compliant process for detecting, managing, notifying, and documenting any ICT-related incident, something DORA emphasises. They should develop classification criteria based on the incident’s criticality and prepare protocols for reporting major ICT-related incidents. This should include client notification and management of outsourcing reporting obligations if applicable. - Threat Intelligence sharing
DORA requires financial entities to share cyber threat-related information and intelligence. The aim is to foster the development of information-sharing arrangements with other financial institutions on cyber threats. To assist, the EU has already proposed the establishment of the Joint Cyber Unit, aiming to strengthen cooperation among EU Institutions, Agencies, Bodies, and the authorities in the member states. - Third-party Risk Management
DORA places significant focus on the management of third-party risk. It does this through the implementation of comprehensive risk assessment and monitoring processes. These include processes to regularly assess the risk posed by third parties, report any risks and processes for ending the relationship and transitioning to more suitable providers.
WHERE DO I START WITH DORA COMPLIANCE?
- Conduct a DORA assessment. Identify any gaps and determine the effort required for remediation before the deadline.
- Develop a comprehensive remediation roadmap. Establish a dedicated programme to aid in planning, facilitating and monitoring the implementation process. Due to the regulation’s complex requirements and their impacts on your organisation, the workload and complexity may exceed what business-as-usual (BAU) teams can handle.
- Assemble a cross-functional team. Choose experts in risk management, business continuity, cybersecurity, legal and compliance to lead the implementation process effectively.
- Don’t be deceived by the relatively long implementation period. The extended timeline is necessary because it involves multiple teams within the organisation collaborating to deliver the required changes.
- Prioritise addressing third-party risks. Rectifying issues within your organisation might be more manageable than with third-party suppliers, especially those unaccustomed to heavy regulatory pressure or operating in a highly regulated environment.
- Utilise automation to streamline processes. Given the substantial reporting requirements, employing technology tools can simplify and expedite reporting tasks.
- Ensure thorough evidence capture. To meet auditability standards, DORA encompasses control design and operational management of those controls.
HOW CAN THREETWOFOUR HELP?
We have significant experience in the delivery of large-scale transformation programmes. Our team of regulatory specialists, operational resilience experts and cyber security professionals are well-equipped to help you with your DORA compliance journey.
Whether it’s conducting gap assessments, developing remediation strategies, or overseeing the implementation of controls, we can provide the support you need. Click below to find out more about ThreeTwoFour, a Node4 Company.w
(This piece originally appeared on ThreeTwoFour’s website in July 2023, which can be read in full here: https://three-two-four.com/insights/exploring-dora-digital-operational-resilience-act/)
FOCUS ON OUR SERVICES –
AUDIT READINESS
It’s very common for organisations to have challenges with their technology controls, whether they cover identity and access management, service delivery or functions of the security operation.
ThreeTwoFour enables Audit Readiness with a service designed help you create controls that are auditor friendly. Get support to prepare effectively for your next audit from experts well versed in sitting on both sides of the table.
HOW CAN WE HELP
CYBER SECURITY IS VITAL AT ALL LEVELS
WRITTEN BY SIMON CLAYTON-MITCHELL, NODE4 SECURITY SPECIALIST
The book ‘A Hacker’s Mind’ by Bruce Schneier provides an interesting overview of how systems are hacked: not just computers but tax law, Government legislation, commercial law…you name it! Whether it’s computer code, written laws or accepted business practices, the systems and processes can all be hacked. Towards the end of the book, Schneier makes an interesting point about Artificial Intelligence, and how it might be hacked, because AI has a problem called ‘explainability’ (essentially, how AI can’t explain why it does the things it does).
COMPANY CULTURE
This got me thinking about organisations – why they do what they do, and how much of that is unconscious. Most, if not all companies will attempt to explain how and why they’ve made decisions. Yet for most workforces, their daily actions aren’t a result of formulated strategies or tactical initiatives. They’re due to corporate culture, or “the way things get done around here.”
For cybersecurity, that’s an issue. And one that’s increasingly important to understand. How well can an organisation effectively explain to itself and others how secure it really is?
If one organisation is looking to acquire another, for example, questions such as ‘do you have Cyber Essentials (CE), and CE+’, or, ‘do you have ISO27001’ will be asked. But how accurate a picture does that paint of the organisation’s real security assurance capability? Just because an organisation says that they take security seriously doesn’t mean they do. And to make matters more complex, they may believe they take security seriously, but the underlying truth is either not being reported properly, or not fully understood.
To illustrate the point, let’s look at an article that stood out in cybersecurity news recently. The Security and Exchange Commission (SEC) has brought fraud charges against SolarWinds and their CISO relating to a 2020 software attack that compromised the company’s Orion software. The attack itself has been described as “one of the worst cyber-espionage incidents ever suffered by the US.” The SEC alleges that an internal document shared with the CISO stated that “the volume of security issues being identified over the last month have outstripped the capacity of Engineering teams to resolve.”
AWARENESS AND ACTION AT ALL LEVELS
No sane organisation deliberately leaves themselves insecure. Everyone will explain why they believe they’re compliant and secure. But Cyber Security is a constantly evolving area, and it’s incredibly challenging to stay fully secure all the time. Security and IT teams must discuss, prioritise, and resolve a constant flow of issues. However, this cacophony of concerns often morphs into a simple Red-Amber-Green (RAG) dashboard at the senior levels of the company.
Some good advice was provided at InfoSec in London earlier this year by one of the headline speakers: cyber security needs to be normalised within an organisation, discussed openly at all levels. Each area needs to be able to explain clearly why they think they are secure and articulate areas of concern. This sort of open communication requires trust between colleagues and across management. What’s reported down below needs to reach the top without fear.
It’s often said that if you cannot explain something to a layperson, then you don’t really understand the subject yourself. Across any organisation, information security needs to be explained and understood by everyone.
On the issue of M&A, my colleagues in ThreeTwoFour have written on the subject in their article ‘Evolution of cyber security in M&A.’ On the management challenges faced within organisation around cyber security, I wrote about this previously in the article ‘Cyber Security: A Management Issue’.
INTERESTED IN FINDING OUT MORE?
If you’d like to discover more about any of the topics we’ve covered in this month’s newsletter, reach out to us by clicking the button below and speak to one of our Cybersecurity specialists.