Long reads

How to prepare for DORA

Hamish Monk

Hamish Monk

Reporter, Finextra

As the result of a partiality for fierce innovation, the financial sector is increasingly dependent on technology to deliver its offering. The sector has therefore become highly vulnerable to cyber-attacks and other digital ‘slip-ups’. If not handled correctly, a compromised IT system could spark a knock-on disruption to financial services, the companies they work with, multiple supply chains and sectors, and ultimately, the global economy.

In acknowledgement of this risk, the European Union (EU) has issued the Digital Operational Resilience Act (DORA) and asked financial entities – including banks, insurance companies, investment firms, payments service providers and other third parties – for their compliance by January 2025.

When adhered to, the Act will theoretically strengthen the IT security of the financial ecosystem in Europe and ensure it is able to remain resilient in the face of severe operational disruption.

So, with DORA’s deadline fast approaching, how can laggards get up to speed with this seminal regulation?  

1.      Appoint a risk management task force

The main purpose of the Act text is to enshrine digital resilience frameworks at an institution-wide level. This heralds an evolution in the role of the executive committee (and even the chief executive officer), which is now accountable to the text.

As such, the foremost – and arguably most important – step in preparing for DORA is to appoint a ‘risk management taskforce’ from the board of directors. This will provide an opportunity to conduct an initial ‘gap assessment’ of legacy systems and draw up a company-wide roadmap against key deliverables.

In practical terms, the taskforce’s primary responsibility ahead of January 2025 should be to establish an ICT risk management framework, which will enact, oversee and assess all measures implemented to achieve DORA compliance. All members of the task force are advised to participate in regular training – ensuring skillsets and knowledge around ICT and operations remains cutting edge.

The consideration and management of exposure risk posed by third-party service providers is also a big focal point in the EU’s Act. To meet this stipulation, the taskforce may wish to nominate a figure who will be responsible for, and report on, this element.

Crucially, if any issues surface, financial entities must have ready an ICT-related incident management process, with the capacity to notify the relevant authorities no later than the end of the business day.

2.      Assume a bird’s-eye view over operations

Once a task force is appointed and instructed, it is advisable that a clear line of sight – penetrating the entire organisation’s IT systems – is achieved. Only then can the adequacy of existing resilience potential be assessed and fine-tuned.

It is surprising how many institutions today lack this kind of transparency, and challenges arise when the business is spread across multiple borders and functions. However, if the right data can be brought together at the right time, issues are spotted and resolved rapidly. Indeed, technological agility is critical in satisfying DORA. 

But a bird’s-eye view may prove to be pro-active, too. With an unfettered view of systems and data, powerful decisions can be enacted to bolster the organisation’s defenses against all manner of future cyberattacks – and ensure minimal disruptions to staff, customers, and the broader financial ecosystem.  

3.      Integrate all infrastructure

Yet, if said data is sitting in innumerable siloes, the response from staff to a technological trip-up will necessarily be sub-optimal – even with a 360-degree view.

This is why another key step in preparing for DORA is the integration of an organisation’s technological infrastructure. To build a single, trusted, cross-border platform there needs to be a company-wide outlook on IT. Back-office processes must be mapped, and all systems and applications must be interoperable.

Connectivity of data – irrespective of how old it is, where it sits, or which area of the bank uses it most regularly – is particularly critical for multi-national institutions; enabling them to flex to sundry market conditions and regulations, in multiple regions simultaneously.

4.      Renovate IT systems

Once an entity’s systems are centralised, it is time to renovate. Incredibly, almost one third of banks recently reported that they did not have an up-to-date, reliable IT asset inventory. As the Achillies’ heel of any digital institution, these systems must be modernised.

Fortunately, a dedicated management system does not need to be established for every piece of compliance, because each system is founded on the same components: data, processes, IT systems, and so on. With an integrated management system, each area can be mapped so that interdependencies or overlaps are identified and addressed.

A sturdy IT system is one that can be seamlessly upgraded, easily maintained and configured, and allow for software patching to shield against developing cyber threats. Access to key assets, such as sensitive data, should adhere to the ‘least privilege’ policy, meaning no single individual has more permissions than they require to conduct their duties. Logging and monitoring protocols should also be in place to generate a trail for auditors to track potential systemic breaches. 

Working with a third-party security provider is also a consideration – facilitating access to services like AI-powered fraud detection; encryption; monitoring, scanning, and auditing; data recovery; as well as a holistic disaster response, should the entire firm fall over.  

5.      Test, test, and re-test

Once the previous four preparations for DORA have been made, resilience testing – a critical part of compliance – should follow.

In the Act, there are specific recommendations for a ‘threat-led’ approach to testing. Simply put, it is a litmus test for preparedness, and means mimicking the procedures of bad actors which pose a genuine cyber threat. This procedure will expose any potential weaknesses in digital systems, so that they can be patched up ahead of the deadline.

Banks yet to adopt such an approach should speak to their third-party security testing partners about the extent to which their current engagements are ‘threat-led’.

A problem shared is a problem halved – or better

If financial entities adhere to these five steps, they will be well on their way to complying with DORA ahead of the January 2025 deadline.

For those institutions in front of the curve and keen on some extra brownie points from the European Union, there is a proposal (though not an explicit requirement) within DORA’s literature around information and intelligence sharing. By offering up data to the community on cyber threats or incursions, institutions can form the financial services’ equivalent of a ‘Neighborhood Watch’ – holding each other’s hand through the brave new world of digitisation. The philosophy behind this suggestion is that an industry reacts better to a technological compromise as a whole, than as discreet units.

For such ‘pro-active’ institutions, DORA represents not just a compliance hurdle, but a business opportunity to monitor operations in real-time, identify new ways to stimulate productivity and better meet customers’ demands.

All this comes together to demonstrate, with continental magnitude, that a bank’s service is competitive, agile, robust, and – most importantly – future proof.

Comments: (0)