How to Prepare Your Team for DORA Changes in 2024
4th September 2024 | Modified: 30th August 2024Categories: Security
“Companies have until 17th January 2025, to be fully compliant”
The financial sector is uniquely exposed to cyber risk because of the large amounts of data and high-risk transactions that are handled. The International Monetary Fund, in its 2024 Global Financial Stability Report estimates that the losses due to cyber incidents have more than quadrupled since 2017 to $2.5 billion. This has led the European Commission to introduce a groundbreaking regulation aimed at safeguarding the sector’s technological infrastructure.
The mandate, known as the Digital Operational Resilience Act or DORA for short, sets out a vision and a union-wide framework that will transform how financial institutions across the EU manage their digital risk, as well as ICT third-party providers. The idea is designed to ensure that financial entities can endure, counteract and recover from ICT threats and disruptions.
Companies have until 17th January 2025, to be fully compliant, which is when the legislation comes into full force.
The Digital Imperative: Why DORA is Essential
- ICT Risk Management: Building Robust Defences
At the heart of DORA lies the requirement for financial entities to establish comprehensive ICT risk management frameworks. This means conducting frequent risk assessments and ensuring that all ICT systems are fortified against potential threats, whether they be cyber-attacks, technical failures, or other digital disruptions.
- Incident Reporting: Swift Response to Digital Crises
In the event of a significant ICT-related incident, time is of the essence. DORA requires financial entities to report major incidents to the relevant authorities without delay. This includes any event that could compromise the availability, integrity, or confidentiality of their services. This ensures that authorities can respond quickly, mitigating the impact of the incident and preventing further damage.
- Digital Operational Resilience Testing: Proving the System’s Strength
To ensure that financial institutions can withstand the pressures of a digital crisis, DORA mandates rigorous testing of ICT systems. This isn’t just about running a few simulations; it involves both basic and advanced testing methods, including penetration testing and scenario-based evaluations. By subjecting their ICT infrastructure to these stress tests, financial entities can be better prepared for real-world challenges.
- Third-Party Risk Management: Securing the Extended Digital Ecosystem
As financial institutions increasingly rely on third-party service providers for essential ICT functions, the risks associated with these partnerships grow. DORA addresses this by placing significant emphasis on third-party risk management. Financial entities must ensure that their contracts with ICT service providers include strict provisions for risk management, incident reporting and resilience testing. Moreover, DORA subjects critical third-party providers to regulatory oversight, ensuring that they adhere to the same high standards as the financial institutions they serve.
- Information Sharing: A Collective Defence Against Cyber Threats
The regulation encourages financial entities to exchange information and intelligence on cyber threats. This collaborative approach is designed to foster a collective defence, where institutions can learn from each other’s experiences and adopt best practices. By pooling knowledge and resources, the financial sector can build a more resilient defence against the ever-evolving landscape of cyber threats.
- Oversight of Critical Third-Party Providers: Ensuring Accountability
Recognising the vital role that third-party providers play in the financial ecosystem; DORA introduces an oversight framework specifically for these entities. This framework includes requirements for registration, risk assessments and adherence to resilience standards.
Competent authorities are granted the power to conduct audits and impose sanctions on non-compliant providers, ensuring that these critical links in the financial chain are held to the highest standards.
Charting the Path to Compliance
With the clock ticking towards DORA’s full application date, financial institutions must take decisive action to ensure compliance. Here’s a step-by-step guide to navigating the regulatory landscape:
- Evaluate Current ICT Risk Management Practices
The first step towards compliance is a thorough evaluation of existing ICT risk management frameworks. Financial institutions must scrutinise their policies, procedures and controls, identifying any gaps or areas of weakness. This assessment will provide a clear picture of what needs to be enhanced or overhauled to meet DORA’s rigorous standards.
- Strengthen Incident Reporting Mechanisms
Institutions must ensure they have robust mechanisms in place for detecting, reporting and responding to ICT-related incidents. This involves defining clear criteria for incident severity and ensuring that all relevant staff are trained to recognise and report incidents promptly. Timely reporting is crucial under DORA and financial entities must be prepared to act quickly.
- Implement Regular Resilience Testing
Resilience testing is not a one-time event but an ongoing process. Financial institutions must develop and implement a comprehensive testing program that includes regular penetration tests, vulnerability assessments and scenario-based evaluations. By continuously testing their systems, institutions can identify and address potential weaknesses before they are exploited.
- Enhance Third-Party Risk Management
Given the critical role of third-party providers, financial institutions must review and update their contracts to ensure compliance with DORA. This includes incorporating provisions for risk management, incident reporting, and resilience testing. Institutions must also conduct due diligence on their providers, ensuring they meet DORA’s stringent requirements.
- Engage in Information Sharing
To stay ahead of emerging cyber threats, financial institutions should actively participate in information-sharing initiatives. By collaborating with other entities in the sector, institutions can gain valuable insights into the latest threats and best practices, enhancing their overall resilience.
- Prepare for Regulatory Oversight
Finally, financial institutions must be ready for potential audits and inspections by competent authorities. This requires maintaining comprehensive documentation of ICT risk management practices and being able to demonstrate compliance with DORA’s requirements at a moment’s notice.
Conclusion
As the January 2025 deadline approaches, if you work within the financial sector make sure that you align with DORA’s requirements. The road to compliance may be challenging, but the rewards are clear: a more robust, secure, and resilient financial sector capable of weathering the storms of the digital world.
If you would like to know more or need support with DORA for your business contact the team at sales@cnc-ltd.co.uk or call us on 01273 384 100
