Financial Services Cyber Compliance Is About To Get Harder

Uploaded on 2023-07-06 in FREE TO VIEW, BUSINESS-Services-Law

For many financial businesses, the industry of compliance is becoming more and more complex. You just finish looking at one regulation to ensure you are compliant, then along comes the next.  
 
With the huge increase in cyber security threats that all companies are facing, and the tightening of cyber insurance criteria, DORA (the EU’s Digital Operational Resilience Act) is one set of regulations financial companies need to be on top of now, even though they don’t come into force until January 2025. 
 
DORA steps up cyber security and operational processes to guard critical financial systems from all interruptions. Its purpose is to strengthen the operational resilience of the financial sector and ensure continuity of critical services so that incidents like the 2018 TSB fiasco can’t be repeated. TSB paid out £48 million to the PRA and the FCA plus £33 million to compensate over five million customers when an IT migration left customers locked out of their accounts. 
 
DORA revolves around the five pillars of: 

  • Risk management.  
  • Incident reporting.  
  • Digital operational resilience testing.  
  • 3rd party risk management.  
  • Sharing information about cyber security threats.  

The EU sees the regulations as necessary to protect financial institutions that are increasingly digitising their services and working with critical third parties like cloud services and data analytics providers. Without a proper framework for operational resilience, they believe one single IT incident could potentially destabilise the EU’s entire financial system. DORA is designed to prevent this and it applies to all companies in the financial services sector, from banking to investment and crowdfunding. 
 
So, its good news for consumers but businesses have just under two years to prepare.  
 
And UK companies can’t avoid it – for DORA’s reach extends to basically any enterprise offering information and communications technology (ICT) services that is considered critical to the supply chain supporting the European financial sector — regardless of whether that enterprise or service is based inside the EU. In fact, under DORA, the complexity of your supply chain or the lack of actual EU presence are considered further risk factors. It’s also likely a UK-equivalent to DORA will become law here. 
 
So, what should you be doing to start preparing for DORA? Here are some simple steps to take right now: 

Scope The Project  

First, it’s important to appoint a DORA project team who will be responsible for looking at the detail of the regulations and establishing how far reaching they are for your organisation. They should then start to define the scoop of the project for your organisation within the context of the risks you are likely to come across as a business. And I would recommend you have a team of people from across different parts of your business including, legal, IT and procurements with a project leader who reports into the board.  

Mitigate Risks Existing Software & Infrastructure 
 
From an IT perspective it will be important for your IT department to establish what risks your organisation currently has that puts them at risk of not meeting the DORA regulations. For example, within your existing software and infrastructure how vulnerable are you to cyber-attack? What legacy apps are you using and are they safe? Is your existing network vulnerable to attack? How good is your data storage? Do you have immutable backup and tried and tested recovery systems in place? Once a risk assessment has been undertaken, a roadmap for any changes with timescales needs to be agreed and regular penetration testing and patching undertaken.  

Adopt Monitoring & Threat Detection Tools 

Critical to being compliant to DORA regulations will be to ensure you have the right layers of technology in place to mitigate day-to-day operational risks. This may mean adopting new monitoring technology that can assess your risks in real-time and take immediate action should a problem occur. By putting in the right controls now you will save yourself time in the long run. Having complete visibility in real time of what is happening across your IT estate will be essential. And don’t forget to assess your risk in terms of how you use third parties – they will also need to be able to demonstrate complete visibility across all your suppliers and supply chain to ensure you are fully compliant.  
 
Ideally, your IT or managed services provider will ensure you have no legacy systems that rely on less up-to-date technology and could compromise your operational resilience. They should also offer cybersecurity expertise, data storage and processing capabilities across a range of availability zones and geographic regions to ensure you are meeting all the requirements. Having the right technology in place will enhance the ability of your organisation to withstand and quickly recover from disruption   

Implement Best Practice End User Training  

Employees – albeit unwittingly – are still the most frequent point of failure for security in organisations. By providing high-quality, regular user training and implementing layers of technology to mitigate day-to-day operational risks from phishing attacks or ransomware is critical. Without the right type of training and internal fostering of a culture of zero trust, all your hard work can just slip away because of human error. And just as cyber threats change daily so training should be ongoing and engaging to ensure the best protection.   

Gain Visibility Of Third-Party Suppliers 

 You will need to have visibility of third-party supplier risks and ask them to demonstrate the appropriate steps they are putting in place to protect your infrastructure and address risks and threats in a timely manner. While ICT services offered by third parties, such as Cloud Service Providers (CSPs), can be more resilient than individual firms’ and financial institutions own ICT infrastructure this is not a given. You will need to check and confirm they can comply to DORA.  
 
Also, it’s good to be aware now that DORA may require a multi-cloud strategy to avoid dependence on one provider. This adds resiliency because one network can failover to the other. 

Start Your Gap Analysis 

We recommend you start assessing through gap analysis how much more your organisation needs to do to comply in three key areas: 

  • Internal threat-led penetration testing (TLPT) where capable 
  •  External TLPT three times per year where applicable 
  • Closer management of third-party risks i.e. cloud services providers. 

 As part of the FCA’s, the Bank of England’s and the PRA’s operational resilience policies that came into force in March 2022, you should have already identified important business services and set impact tolerances and commenced a programme of scenario testing. The PRA has conducted an initial assessment of firms’ implementation of the policy and provided feedback of the results. This year the PRA is working closely with the FCA to assess firms’ progress, with a focus on their ability to deliver important business services within impact tolerances through severe but plausible scenarios within a reasonable time frame and by no later than March 2025.  
 There is no silver bullet to achieve DORA compliance. It needs to be a corporate imperative, led from the top down. With the CEO supporting the CISO to ensure the wider business adheres to the rules by adopting the necessary training, updating processes, and implementation of the right technology. 
 
It’s likely that the regulatory authorities will be able to demand evidence of business resilience of all financial institutions and their third-party suppliers. They may even require organisations to undertake resilience testing and participation in sector-wide exercises and commission skilled person reviews of critical third parties – so starting your DORA preparations now will ensure you are one step ahead.  

Simon Paterson is CISO at CSI Ltd 

You Might Aso Read:

Cyber Security & The  Financial Services Industry:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

 

Cyber Security Intelligence: Captured Organised & Accessible

 

 

« Twitter Hacker Goes To Jail
Nagoya Re-Opens After Ransom Attack »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

SlashNext

SlashNext

The SlashNext Internet Access Protection System (IAPS) provides Zero-Day protection against all internet access threats including Social Engineering & Phishing, Malware, Exploits and Callback Attacks.

Zecurion

Zecurion

Zecurion data loss prevention (DLP) solution is an easy-to-use solution for securing confidential data at rest and in motion.

Luxembourg Office of Accreditation & Surveillance (OLAS)

Luxembourg Office of Accreditation & Surveillance (OLAS)

OLAS is the national accreditation body for Luxembourg. The directory of members provides details of organisations offering certification services for ISO 27001.

S2S Group

S2S Group

S2S Group specialise in the destruction and management of IT assets at the end of the lifecycle.

oneM2M

oneM2M

oneM2M is a global organization creating a scalable and interoperable standard for communications of devices and services used in M2M applications and the Internet of Things.

Pinpoint Search Group

Pinpoint Search Group

Pinpoint Search Group's recruiters specialize in Information Management, Cyber Security, Cloud and Robotic Process Automation (RPA).

IT Jobs Watch

IT Jobs Watch

IT Jobs Watch provides a concise and accurate map of the prevailing IT job market conditions in the UK.

Envelop Risk

Envelop Risk

Envelop Risk is a global specialty cyber insurance firm, combining decades of insurance industry expertise with sophisticated cyber and artificial intelligence-based analytics.

Field Effect Software

Field Effect Software

Field Effect Software build sophisticated and integrated IT security, threat surface reduction, training and simulation capabilities for enterprises and small businesses.

iSecurity Consulting

iSecurity Consulting

iSecurity delivers a complete lifecycle of digital protection services across the globe for public and private sector clients.

Edgile

Edgile

Edgile is the trusted cyber risk and regulatory compliance partner to the world’s leading organizations, providing consulting, managed services, and harmonized regulatory content.

Recon InfoSec

Recon InfoSec

The Recon InfoSec team includes analysts, architects, engineers, intrusion specialists, penetration testers, and operations experts.

NorthRow

NorthRow

NorthRow provides digital transformation compliance solutions to help businesses manage regulatory and financial crime risks.

WheelHouse IT

WheelHouse IT

WheelHouse IT secures, manages, and advances businesses with innovative, cost-effective IT solutions.

DHCO IT

DHCO IT

The DHCO IT team are experts in IT support, cyber security, cloud support and disaster recovery, and are Microsoft 365 partners.

Staley Technologies

Staley Technologies

Staley Technologies is a US nationwide structured cabling, technology integrator, and Managed IT & Cyber Security provider.