Financial Services Cyber Compliance Is About To Get Harder

Uploaded on 2023-07-06 in FREE TO VIEW, BUSINESS-Services-Law

For many financial businesses, the industry of compliance is becoming more and more complex. You just finish looking at one regulation to ensure you are compliant, then along comes the next.  
 
With the huge increase in cyber security threats that all companies are facing, and the tightening of cyber insurance criteria, DORA (the EU’s Digital Operational Resilience Act) is one set of regulations financial companies need to be on top of now, even though they don’t come into force until January 2025. 
 
DORA steps up cyber security and operational processes to guard critical financial systems from all interruptions. Its purpose is to strengthen the operational resilience of the financial sector and ensure continuity of critical services so that incidents like the 2018 TSB fiasco can’t be repeated. TSB paid out £48 million to the PRA and the FCA plus £33 million to compensate over five million customers when an IT migration left customers locked out of their accounts. 
 
DORA revolves around the five pillars of: 

  • Risk management.  
  • Incident reporting.  
  • Digital operational resilience testing.  
  • 3rd party risk management.  
  • Sharing information about cyber security threats.  

The EU sees the regulations as necessary to protect financial institutions that are increasingly digitising their services and working with critical third parties like cloud services and data analytics providers. Without a proper framework for operational resilience, they believe one single IT incident could potentially destabilise the EU’s entire financial system. DORA is designed to prevent this and it applies to all companies in the financial services sector, from banking to investment and crowdfunding. 
 
So, its good news for consumers but businesses have just under two years to prepare.  
 
And UK companies can’t avoid it – for DORA’s reach extends to basically any enterprise offering information and communications technology (ICT) services that is considered critical to the supply chain supporting the European financial sector — regardless of whether that enterprise or service is based inside the EU. In fact, under DORA, the complexity of your supply chain or the lack of actual EU presence are considered further risk factors. It’s also likely a UK-equivalent to DORA will become law here. 
 
So, what should you be doing to start preparing for DORA? Here are some simple steps to take right now: 

Scope The Project  

First, it’s important to appoint a DORA project team who will be responsible for looking at the detail of the regulations and establishing how far reaching they are for your organisation. They should then start to define the scoop of the project for your organisation within the context of the risks you are likely to come across as a business. And I would recommend you have a team of people from across different parts of your business including, legal, IT and procurements with a project leader who reports into the board.  

Mitigate Risks Existing Software & Infrastructure 
 
From an IT perspective it will be important for your IT department to establish what risks your organisation currently has that puts them at risk of not meeting the DORA regulations. For example, within your existing software and infrastructure how vulnerable are you to cyber-attack? What legacy apps are you using and are they safe? Is your existing network vulnerable to attack? How good is your data storage? Do you have immutable backup and tried and tested recovery systems in place? Once a risk assessment has been undertaken, a roadmap for any changes with timescales needs to be agreed and regular penetration testing and patching undertaken.  

Adopt Monitoring & Threat Detection Tools 

Critical to being compliant to DORA regulations will be to ensure you have the right layers of technology in place to mitigate day-to-day operational risks. This may mean adopting new monitoring technology that can assess your risks in real-time and take immediate action should a problem occur. By putting in the right controls now you will save yourself time in the long run. Having complete visibility in real time of what is happening across your IT estate will be essential. And don’t forget to assess your risk in terms of how you use third parties – they will also need to be able to demonstrate complete visibility across all your suppliers and supply chain to ensure you are fully compliant.  
 
Ideally, your IT or managed services provider will ensure you have no legacy systems that rely on less up-to-date technology and could compromise your operational resilience. They should also offer cybersecurity expertise, data storage and processing capabilities across a range of availability zones and geographic regions to ensure you are meeting all the requirements. Having the right technology in place will enhance the ability of your organisation to withstand and quickly recover from disruption   

Implement Best Practice End User Training  

Employees – albeit unwittingly – are still the most frequent point of failure for security in organisations. By providing high-quality, regular user training and implementing layers of technology to mitigate day-to-day operational risks from phishing attacks or ransomware is critical. Without the right type of training and internal fostering of a culture of zero trust, all your hard work can just slip away because of human error. And just as cyber threats change daily so training should be ongoing and engaging to ensure the best protection.   

Gain Visibility Of Third-Party Suppliers 

 You will need to have visibility of third-party supplier risks and ask them to demonstrate the appropriate steps they are putting in place to protect your infrastructure and address risks and threats in a timely manner. While ICT services offered by third parties, such as Cloud Service Providers (CSPs), can be more resilient than individual firms’ and financial institutions own ICT infrastructure this is not a given. You will need to check and confirm they can comply to DORA.  
 
Also, it’s good to be aware now that DORA may require a multi-cloud strategy to avoid dependence on one provider. This adds resiliency because one network can failover to the other. 

Start Your Gap Analysis 

We recommend you start assessing through gap analysis how much more your organisation needs to do to comply in three key areas: 

  • Internal threat-led penetration testing (TLPT) where capable 
  •  External TLPT three times per year where applicable 
  • Closer management of third-party risks i.e. cloud services providers. 

 As part of the FCA’s, the Bank of England’s and the PRA’s operational resilience policies that came into force in March 2022, you should have already identified important business services and set impact tolerances and commenced a programme of scenario testing. The PRA has conducted an initial assessment of firms’ implementation of the policy and provided feedback of the results. This year the PRA is working closely with the FCA to assess firms’ progress, with a focus on their ability to deliver important business services within impact tolerances through severe but plausible scenarios within a reasonable time frame and by no later than March 2025.  
 There is no silver bullet to achieve DORA compliance. It needs to be a corporate imperative, led from the top down. With the CEO supporting the CISO to ensure the wider business adheres to the rules by adopting the necessary training, updating processes, and implementation of the right technology. 
 
It’s likely that the regulatory authorities will be able to demand evidence of business resilience of all financial institutions and their third-party suppliers. They may even require organisations to undertake resilience testing and participation in sector-wide exercises and commission skilled person reviews of critical third parties – so starting your DORA preparations now will ensure you are one step ahead.  

Simon Paterson is CISO at CSI Ltd 

You Might Aso Read:

Cyber Security & The  Financial Services Industry:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

 

Cyber Security Intelligence: Captured Organised & Accessible

 

 

« Twitter Hacker Goes To Jail
Nagoya Re-Opens After Ransom Attack »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Infosecurity Europe, 3-5 June 2025, ExCel London

Infosecurity Europe, 3-5 June 2025, ExCel London

This year, Infosecurity Europe marks 30 years of bringing the global cybersecurity community together to further our joint mission of Building a Safer Cyber World.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

HYAS Infosec

HYAS Infosec

HYAS is a highly skilled information security firm developing the next generation of information security technology.

Namogoo

Namogoo

Namogoo’s disruptive technology identifies and blocks unauthorized product ads that are injected into customer web sessions by client-side Digital Malware.

Ergon Informatik

Ergon Informatik

Ergon Informatik AG is Switzerland's leading provider of customised software solutions and software products including fraud detection and the Airlock web security suite.

Sergeant Laboratories

Sergeant Laboratories

Sergeant Laboratories builds advanced technologies to prove compliance in complex IT security and regulatory compliance situations.

EvoNexus

EvoNexus

EvoNexus is a technology startup incubator with locations in San Diego, Orange County, and Silicon Valley.

Tehtris

Tehtris

TEHTRIS XDR Platform was developed to control and improve the IT security of private and public companies against advanced cyber threats such as cyber espionage or cyber sabotage activities.

Liberman Networks

Liberman Networks

Liberman Networks is an IT solutions provider company that provides security, management, monitoring, BDR and cloud solutions.

CYMOTIVE Technologies

CYMOTIVE Technologies

Combining Israeli cyber innovation with a century of German automotive engineering. CYMOTIVE operates under the assumption that connectivity is a game changer for the automotive industry.

International Cyber Threat Task Force (ICTTF)

International Cyber Threat Task Force (ICTTF)

The International Cyber Threat Task Force is a not-for-profit initiative promoting the ecosystem of an International independent non-partisan cyber security community.

Limes Security

Limes Security

Limes Security GmbH is the leading OT Security expert in the German-speaking region of Europe.

IBM Security

IBM Security

IBM manufactures and markets computer hardware, middleware and software, and offers hosting and consulting services in areas ranging from mainframe computers to nanotechnology.

Entech

Entech

Entech is a managed IT service provider. We work behind the scenes on your network to ensure data security and integrity.

CNF Technologies

CNF Technologies

CNF Technologies is an award-winning cyber company providing technology-focused research and development to commercial, federal, and Department of Defense clients.

NuKuDo

NuKuDo

NukuDo redefine the boundaries of cybersecurity talent development. We are dedicated to cultivating top-tier professionals equipped to tackle the complex challenges of cybersecurity.

Core42

Core42

Core42 provides a full-spectrum of AI enablement solutions covering cloud, data, cybersecurity and digital services designed for customer success.

When Group

When Group

World Health Energy Holdings, Inc. (d/b/a WHEN Group) is a High Tech Holding Company that specializes in the Cyber, Security and Telecom area.