FINAL WORD

Recent research undertaken by Security Scorecard indicates that in 2023 , 78 % of European financial institutions experienced a data breach involving a third party . Also , 84 % of financial organisations have been affected by a breach involving a fourth party . Therefore , regulators and authorities are keen to strengthen financial institutions ’ defence against cyber-attacks and other ICT incidents .

The upcoming Digital Operational Resilience Act , DORA , set to come into effect in January 2025 , aims to change the data security regulatory landscape by mandating financial institutions adopt a proactive , multi-layered approach to managing ICT-related risks . The regulation will introduce robust requirements for protection , detection , containment , recovery and repair in the event of cyber incidents or technological disruptions .

DORA sets out a series of stringent requirements that financial companies must meet such as risk management , incident reporting , third-party risk management , digital operational resilience testing and threat intelligence sharing , to ensure robust digital resilience .

DORA seeks to drive and harmonise operational resilience improvements across the EU ’ s 22,000 financial entities . It applies not just to banks , but to credit institutions , payments providers , insurance companies , investment firms , fund managers , pension funds , crypto-asset services , IT third-party services , crowdfunding services , and more . The new regulation will provide the foundation for building financial systems that are agile and prepared for the digital threats of tomorrow .

Failure to comply with the new regulations could land financial institutions in hot water , resulting in high fines like those associated with GDPR . These fines

DORA sets out a series of requirements that financial companies must meet such as risk management , incident reporting , third-party risk management .

can increase daily until the issue is resolved , hitting organisations hard financially , and impacting the reputation of the organisation that doesn ’ t comply with the regulation .

For example , when a cyber incident occurs , organisations will be required to notify authorities and affected parties within a 72-hour window . If they do not comply , the details of the breach will be made public . As such it is critical that these companies are constantly monitoring their IT environment for possible threats and breaches and are prepared to respond appropriately .

To achieve this , they must implement advanced threat detection systems , a robust incident response plan and gain a clear understanding of the vulnerabilities in the organisation ’ s systems . Without proper monitoring , organisations could be missing key indicators of a breach and may fail to notify the appropriate regulatory bodies on time , which could compound the consequences .

In terms of preparing for these new regulations , every organisation should undergo a comprehensive resilience review and gap analysis . This will assess how prepared the organisation is to handle a cyber incident , and its ability to recover from it swiftly .

This is achieved with an in-depth evaluation of key components , which include the current state of security infrastructure , incident response capabilities , and ongoing monitoring efforts .

However , getting to the heart of these requirements while dealing with the dayto-day can be challenging . This is where engaging with independent external specialists and third-party vendors to conduct these critical resilience reviews can really help .

Such third parties can help businesses build out a compliance roadmap , a clear plan outlining the steps the organisation must take to achieve and maintain compliance . Such a plan will help to prioritise the projects that will have the greatest impact on improving the organisation ’ s security posture and minimising risk .

Part of this process involves time management of various compliance projects , as well as prioritising the aspects of cybersecurity that will have the most significant impact . With an expert-led roadmap , organisations can better allocate their resources and ensure that their efforts are directed toward mitigating the most pressing threats .

An essential component of any resilience review is the organisation ’ s incident response process . A well-written incident response plan is crucial , but equally important is how the organisation responds and conducts thorough ICT exercises to stay prepared . It is critical to examine the existing frameworks and procedures for handling

INTELLIGENT TECH CHANNELS 69