By Alain Ben Rejeb, Junior Digital Product Manager at Excellence Innovation
Technological progress has revolutionized the financial sector, offering new opportunities, but also exposing institutions to growing cyber risks. To address these challenges, the European Union introduced the DORA (Digital Operational Resilience Act) regulation which aims to strengthen the cybersecurity of financial entities in order to ensure their operational continuity. The regulation requires all industry organizations, including banks, insurance companies and cryptocurrency operators, to comply with the new standards by January 17, 2025, two years after it comes into force.
The growing threat of cyber attacks in the financial sector
The latest “Global Financial Stability Report” from the International Monetary Fund (IMF) from April 2024 warns that global financial stability is increasingly at risk due to the increasing frequency and sophistication of cyber attacks. In particular, the financial sector is among the sectors most exposed to cyber threats, as operations involve large quantities of data and sensitive transactions.
Below is the relevant information extracted from the report:
1. Over the past 20 years, the financial sector has suffered more than 20,000 attacks, causing direct losses of $12 billion.
2. Nearly a fifth of cyber incidents reported over the past 20 years have affected the financial sector, with banks being the most frequent target, followed by insurers and asset managers.
3. Over the last 4 years there has been a doubling of cyber attacks resulting from increasing digitalisation, accelerated by the COVID-19 pandemic and geopolitical tensions.
4. Financial organizations are increasingly relying on third-party IT service providers, and may do so even more with the emerging role of artificial intelligence.
External providers can improve operational resilience, but also expose the financial sector to system-wide shocks. Therefore, it is essential for a financial institution to find reliable suppliers of information and communication technologies to minimize direct and indirect losses such as reputational damage. In this context, the Excellence Group is actively working to satisfy all the requirements of the regulation, thus ensuring that the solutions and services offered are aligned with the new standards of security and operational resilience.
The DORA requirements for financial entities and ICT providers
The goal of DORA is to harmonize European laws comprehensively, establishing technical requirements for financial entities and ICT providers in the following domains:
1. ICT risk management and governance: The administrative body must assume responsibility for ICT management, defining strategies and keeping up to date on risks. It must guide organizations to develop comprehensive frameworks, conduct business impact analyzes and adopt cybersecurity measures such as business continuity plans and disaster recovery.
2. Incident Management: Organizations must establish systems to monitor, manage and promptly report cyber incidents. Critical incidents require three reports: initial, intermediate, and final. Rules on classification and reporting will be published soon, with the idea of simplifying reporting through a central hub and common reporting templates.
3. Digital Operational Resilience Testing: Regular testing of ICT systems is required to identify vulnerabilities and assess their ability to deal with incidents and disruptions. Strategic entities must undergo threat-based penetration testing (TLPT) every three years, with technical standards aligned to the TIBER-EU framework.
4. Third party risk management: The regulation also applies to ICT suppliers. Financial entities must manage third-party risk, enter into compliant contracts with suppliers and map ICT dependencies with them. The European Union is evaluating standardized contractual clauses, and critical suppliers will be subject to direct supervision by European authorities.
Impacts and benefits of the DORA legislation
The implementation of the DORA regulation has significant impacts on the financial sector, introducing new challenges to avoid sanctions and penalties, but above all it offers numerous benefits:
1. Reduced Incident Costs: By implementing advanced security measures and incident response strategies, organizations can significantly reduce costs associated with data breaches and operational disruptions.
2. Improved Reputation: Entities that demonstrate strong operational resilience and effective incident management can strengthen customer and investor confidence, improving their reputation in the market.
3. Operation Efficiency: Standardizing risk management processes and contracts with ICT suppliers allows organizations to operate more efficiently, reducing time and allowing for better allocation of resources to other functions.
4. Support Innovation: A more secure and resilient ICT environment fosters innovation, allowing financial entities to develop and implement new products and services with greater security.
Looking ahead: DORA’s positive impact on financial sector security
As discussed earlier in the article, cyberattacks have increased in both frequency and sophistication, putting the stability of financial institutions at risk. The introduction of the DORA regulation represents a fundamental step in strengthening operational security and resilience in the European financial sector. While posing new challenges for organizations, complying with DORA requirements offers significant benefits, including reducing costs associated with incidents, improving reputation, increasing operational efficiency and supporting innovation. Adopting advanced ICT risk management measures and working with compliant vendors ensures stronger protection of customer data and greater stability of financial operations. In this context, the DORA regulation not only represents a regulatory necessity, but also a strategic opportunity for financial entities to position themselves as market leaders in terms of security and reliability.