Traffic Analyzer | Digital Vision Vectors | Getty Images
Strict new European Union rules requiring banks to beef up their cybersecurity systems came into effect on Friday, but many financial services companies in the bloc have yet to fully comply with the rules.
European Union Digital Operational Resiliency Actor DORA, requires financial services firms and their technology vendors to harden their IT systems to ensure the industry is resilient in the event of a cyberattack or any other form of disruption. The regulation takes effect on January 17.
Breach of the new legislation may result in severe penalties. Financial services firms that violate the new rules could face fines of up to 2% of annual global revenue. Individual managers may also be held liable for violations and face sanctions of up to €1 million ($1 million).
Harvey Jang, chief privacy officer and deputy general counsel at IT giant Cisco, said compliance with the new rules among financial services companies has so far been mixed.
“I think we’re seeing a mixed bag,” Zhang told CNBC. “Certainly the more mature-stage companies will be looking at this further for at least a year — if not longer.”
“We’re really trying to build this compliance program, but it’s so complex. I think that’s the challenge. We see this also with GDPR and other broad legislation that requires interpretation — what does compliance actually mean? It means different things to different people,” he said.
Jang added that the lack of consensus on strict compliance with DORA’s regulations has led many agencies to raise safety standards to levels that are actually beyond the “baseline” expected by most companies.
Are financial institutions ready?
Under DORA, financial firms will be required to conduct rigorous IT risk and incident management, classification and reporting, operational resilience testing, intelligence sharing of cyber threats and vulnerabilities, and measures to manage third-party risks.
Companies also need to assess the “concentration risk” associated with outsourcing critical or significant operating functions to outside companies.
one Orange Cyberdefense commissions census of 200 UK chief security officersFrance Telecom’s cyber security division orangeshowing that 43% of financial institutions in the UK are not yet fully compliant with DORA.
This is a matter of concern because, although the UK is not now part of the EU, DORA applies to all financial entities operating within EU jurisdiction – even if they are headquartered outside the EU.
Richard Lindsay, principal consultant at Orange Cyberdefense, told CNBC: “While DORA clearly has no legal influence in the UK, entities based in the UK that operate or provide services to EU entities will be affected by it. regulatory constraints.
He added that a major challenge many financial institutions face in achieving DORA compliance is managing their critical third-party IT vendors.
“Financial institutions operate in a multi-layered and extremely complex digital ecosystem,” Lindsay said. “Tracking and ensuring that all parts of the system are clearly compliant with the relevant elements of DORA will require new thinking, solutions and resources.”
Due to DORA’s stringent requirements, banks have also intensified stricter scrutiny in contract negotiations with technology vendors, Jang said.
Cisco’s chief privacy officer told CNBC that he believes the principles and spirit of the law are consistent. However, he added, “Any legislation is a product of compromise, so when they become more prescriptive it becomes challenging.”
“We agree with the principles, but any legislation is a product of compromise, so when they become more prescriptive it becomes challenging.”
Still, despite the challenges, experts generally expect banks and other financial institutions to become compliant soon.
“European banks are already complying with important regulations covering most areas of DORA,” Fabio Colombo, Accenture’s financial services security leader for Europe, the Middle East and Africa, told CNBC.
“As a result, financial services organizations already have mature governance and compliance capabilities in place, as well as existing incident reporting processes and robust ICT risk frameworks.”
Risks to IT Suppliers
IT providers may also be fined under DORA. The regulations threaten to impose taxes of up to 1% of average global daily income within six months.
“These sanctions are necessary,” Brian Fox, chief technology officer at software supply chain management company Sonatype, told CNBC. “They are powerful incentives for leaders to focus on compliance and operational resiliency more than ever before. ”
Orange Cyberdefense’s Lindsay said that in the long term, there is a risk that financial services companies end up moving their critical security functions and services in-house.
“Advances in technology may allow financial institutions to move services back in-house, simplifying this aspect and reducing the risk of breaches,” he said.
Lindsay added: “Either way, existing contracts will need to be updated to ensure compliance is enforced and monitored contractually between entities and providers.”
At the same time, organizations must also comply with several other cybersecurity-focused regulations, such as Network and Information Security Directive 2, or NIS 2and the Cyber Resiliency Act. The former enters Effective October.
“As with any new regulation, there will certainly be a transition period as organizations adapt to new requirements and standards,” Sonatype’s Fox told CNBC. “This is the beginning of a long journey toward improving software security and resiliency.”
