Traffic_analyzer | Digitalvision Vectors | Getty Images
Financial services firms and their digital technology suppliers are under intense pressure to achieve compliance with tough new rules from the EU that require them to strengthen their cyber resilience.
By early next year, financial services firms and their technology suppliers will have to make sure they comply with a new incoming law from the European Union, known as DORA, or Digital Business Resilience Act.
CNBC breaks down what you need to know about DORA — including what it is, why it matters and what banks are doing to make sure they’re prepared for it.
What is DORA?
DORA requires banks, insurance companies and investments to strengthen their IT security. The EU regulation also seeks to ensure that the financial services industry is resilient in the event of a major disruption to operations.
Such disruptions could include a ransomware attack that shuts down a financial firm’s computers, or a DDOS (distributed denial of service) attack that causes a firm’s website to go offline.
The regulation also seeks to help businesses avoid major holiday events such as historic IT meltdown last month caused by a cyber company CrowdStrike when a simple software update issued by the company forced Microsoft’s Windows operating system to crash.
Many banks, payment companies and investment companies — from JPMorgan Chase and Santanderto Visa and Charles Schwab — were unable to provide services due to the outage. It took these companies several hours to restore service to consumers.
In future, such an event would fall under the type of service interruption that would face scrutiny under the incoming EU rules.
Mike Sleightholme, president of financial technology firm Broadridge International, notes that an important factor of DORA is that it doesn’t just focus on what banks are doing to ensure resilience – it also looks closely at companies’ technology suppliers.
Under DORA, banks will be required to undertake rigorous IT risk management, incident management, triage and reporting, digital operational resilience testing, information and intelligence sharing in relation to cyber threats and vulnerabilities and third party risk management measures.
Companies should conduct assessments of the “concentration risk” associated with outsourcing critical or significant operational functions to external companies.
These IT providers often provide “critical digital services to customers,” said Joe Vaccaro, general manager of Cisco-owned Internet quality monitoring firm ThousandEyes.
“These third-party providers must now be part of the testing and reporting process, which means financial services firms must adopt solutions to help them uncover and map these sometimes hidden dependencies with providers,” he told the CNBC.
Banks will also need to “extend their ability to ensure the delivery and performance of digital experiences not only on the infrastructure they own, but also on the infrastructure they don’t own,” Vaccaro added.
When does the law apply?
DORA came into force on 16 January 2023, but the rules will not be implemented by EU member states until 17 January 2025.
The EU has prioritized these reforms because of the way the financial sector is increasingly dependent on technology and technology companies to provide vital services. This has made banks and other financial service providers more vulnerable to cyber attacks and other incidents.
“There’s a lot of focus on third-party risk management,” Sleightholme told CNBC. “Banks use third-party service providers for important parts of their technology infrastructure.”
“Enhanced recovery time goals are an important part of it. It’s really about security around technology, with a particular focus on cyber security recoveries from cyber attackers,” he added.
Many EU digital policy reforms in recent years have tended to focus on companies’ own obligations to ensure that their systems and frameworks are robust enough to protect against damaging events such as data loss to hackers or unauthorized individuals and entities.
The EU’s General Data Protection Regulation, or GDPR, for example, requires companies to ensure that the way they process personally identifiable information is with their consent and with sufficient safeguards to minimize the possibility of such exposure data in the event of a breach or leak.
DORA will focus more on banks’ digital supply chain — which represents a new, potentially less comfortable legal dynamic for financial firms.
What if a business doesn’t comply?
For financial firms that break the new rules, EU authorities will have the power to impose fines of up to 2% of their annual global revenue.
Individual administrators can also be held liable for violations. Penalties on individuals within financial entities could reach 1 million euros ($1.1 million).
For IT providers, regulators can impose fines of up to 1% of average daily global revenue in the previous financial year. Companies can also be fined daily for up to six months until they achieve compliance.
Third-party IT companies deemed “critical” by EU regulators could face fines of up to €5 million — or, in the case of an individual administrator, up to €500,000.
That’s slightly less severe than a law like GDPR, under which companies can be fined up to 10 million euros ($10.9 million) or 4 percent of their annual global revenue — whichever is higher.
Carl Leonard, EMEA cyber security strategist at security software firm Proofpoint, points out that criminal penalties can vary from member state to member state, depending on how each EU country applies the rules in their respective markets.
DORA also calls for a “principle of proportionality” when it comes to sanctions in response to breaches of the law, Leonard added.
This means that any response to legal weaknesses will have to balance the time, effort and money companies spend on improving their internal processes and security technologies against how critical the service they offer and the data they are trying to protect is. protect.
Are banks and their suppliers ready?
Stephen McDermid, head of EMEA security for cybersecurity firm Okta, told CNBC that many financial services firms have prioritized using existing internal operational resilience and third-party risk programs to comply with DORA and “identify any gaps they may have ».
“This is the intention of DORA, to create alignment of many existing governance programs under a single supervisory authority and harmonize them across the EU,” he added.
Fredrik Forslund, vice president and general manager of international data sanitization firm Blancco, warned that while banks and technology vendors have made progress toward DORA compliance, there is still “work to be done.”
On a scale of one to 10 — with one representing no compliance and 10 representing full compliance — Forslund said, “We’re at a 6 and we’re trying to get to a 7.”
“We know we have to be at 10 by January,” he said, adding that “not everyone will be there by January.”