Bolstering Operational Resilience in Financial Sector with DORA

In July 2024, a vendor’s faulty update triggered a significant global IT outage, underscoring the critical need for robust operational resilience. The resulting impact and losses prompted urgent reassessment of business continuity strategies.

The European Union’s landmark regulation – Digital Operational Resilience Act (DORA) – aims to safeguard the resilience and security of crucial financial systems that are vital to the global economy, in the rapidly evolving digital landscape. DORA’s main goal is to fortify the financial sector against IT, cyber, and digital threats, setting high standards for IT governance, risk management, and investment in essential systems.
What is DORA?
The introduction of DORA is a significant step towards a unified regulatory approach to digital resilience in the financial sector across the EU. It acknowledges the growing reliance on digital technologies and the increased sophistication of cyber threats. By standardizing requirements, DORA aims to create a level playing field, enhancing the overall stability and integrity of the financial system. DORA applies to 20 different types of financial entities and ICT third-party service providers.

The primary objective of this act is to consolidate and upgrade rules pertaining to digital operational resilience for all entities operating in the financial sector. This includes banks, insurance companies, and all other financial entities. DORA sets forth stringent requirements for these institutions to ensure they can withstand, respond to, and recover from all types of cyber threats and technology disruptions.

The act also encourages, and in some cases requires, the sharing of information related to cyber threats and vulnerabilities within the financial sector. This promotes transparency, facilitates swift response and recovery actions, and enables the sharing of valuable insights across the sector to prevent similar incidents.

Recognizing the increasing reliance on third-party providers for critical ICT services, DORA emphasizes the importance of managing and overseeing these relationships. Financial entities are required to conduct thorough due diligence, establish contractual safeguards, and monitor the performance and security posture of their third-party providers.

And, of course, the regulation mandates the establishment of comprehensive business continuity plans to ensure operational resilience in the event of disruptions. These plans should outline procedures for maintaining essential services, restoring normal operations, and communicating with stakeholders during and after an incident.

Advantages of adopting DORA for financial institutions

By adhering to DORA’s stringent cybersecurity requirements, institutions bolster their defences against cyberattacks and data breaches, safeguarding their reputation and the trust of their customers. Of course, by complying with DORA, institutions also mitigate the risk of facing significant financial penalties and operational restrictions associated with non-compliance.

Additionally, DORA fosters a proactive approach to risk management, enabling institutions to better anticipate, prepare for, and recover from disruptions, ensuring the continuity of critical services. Compliance with DORA will also signal a commitment to security and operational stability, instilling greater confidence in customers and stakeholders.

Embracing DORA

DORA represents a significant step towards strengthening the operational resilience of the financial sector. By embracing its principles and implementing its requirements, financial institutions can enhance their cybersecurity posture, improve their ability to withstand disruptions, and foster greater trust among their stakeholders.

All UK-based Entities In financial services with any market activities within the EU, and their ‘Critical ICT Third Party Providers’ (CTTPS) are subject to the requirements. The deadline for DORA compliance in the UK is January 17, 2025. That said, for many financial services firms, there are already robust systems and processes in place to cover other regulatory commitments, like ISO27001. Therefore, this could essentially be an exercise in proving compliance rather than achieving it.

 

Photo courtesy: Tabrez Syed