The EU’s Digital Operational Resilience Act (DORA) is just a year away. It impacts any financial services firm serving customers in the region, even if they are based outside it. And, crucially, it also covers IT suppliers to these organizations. Experts predict that could mean tens of thousands of businesses need to get their DORA compliance house in order before 17 January 2025.
The good news is that best practice security steps such as strong data protection will go a long way to meeting these requirements.
Why we need DORA
It’s no secret that financial services is one of the most popular targets for threat actors, thanks to its low tolerance for outages and the huge volumes of sensitive persona and financial data its organizations store. According to one study, finance was the most breached industry in 2023, accounting for over a quarter (27%) of incidents. That’s up from 19% a year previously.
Yet as these organizations, and the IT companies that supply them, invest in digital transformation to improve back-end efficiencies and customer-facing experiences, their attack surface continues to grow. From cloud infrastructure and applications to blockchain technology and complex supply chains, there are a growing number of vectors for attack. This matters, given the criticality of the sector to the region’s social and economy prosperity.
As EU security agency ENISA warns:
“The finance sector is the crucial backbone of the European economy and, like many other sectors, its dependency on ICT infrastructures, providers and their supply chains is increasing. The importance of ICT security and resilience in supporting the finance sector has grown considerably in recent years, and the objective of protecting automated inter-banking transactions and, more generally, all types of communications is altogether more critical and complex nowadays”
What will compliance entail?
This is where DORA comes in. The new regulation will harmonize rules designed to strengthen operational resilience across the bloc and beyond. And like the GDPR, it must be enacted by all member states in its entirety. Complying organizations will need to consider five pillars:
IT risk management: Includes deploying tools to minimize IT risk via ongoing monitoring, and protection and prevention measures, as well as detection of suspicious activity. Organizations also have to document critical assets, and put in place business continuity and disaster recovery plans.
Incident management and reporting: Put processes in place to log all incidents, determine major incidents and submit reports.
Supply chain risk management: Includes visibility into and reporting of outsourced activities and continuous monitoring of risk. All contracts must include mandatory clauses specified by DORA.
Resilience testing: Annual IT testing and periodic penetration testing to identify and remediate any gaps and weaknesses.
Information sharing: DORA facilitates and encourages anonymous sharing of threat intelligence among the financial services community.
The value of encryption
Give the high value of data that financial services companies manage, process and store, data protection is a key part of the regulation. Article 9, paragraph 2, states that complying organizations must “maintain high standards of availability, authenticity, integrity and confidentiality of data, whether at rest, in use or in transit.”
This chimes with comforte’s data-centric security approach, which posits that the best way for financial services organizations to enhance resilience, build customer trust, protect reputation and support regulatory compliance is by protecting their most sensitive data. The comforte Data Security Platform is designed to continuously and automatically discover and classify data wherever it resides in the organization, and then apply protection—including tokenization techniques which deliver both security and utility.
Organizations still on the road to DORA compliance will find the process far easier if they already comply with standards like ISO 27001, which also affirm the importance of data-centric security. Doing so will not only help with DORA compliance, but other industry specific and regional rules like PCI DSS 4.0 and GDPR. Cybersecurity best practices are best practices, whichever regulator is mandating them.