Traffic Analyzer | Digital Vision Vectors | Getty Images
Financial services firms and their digital technology suppliers are under intense pressure to comply with tough new EU rules that require them to become more cyber resilient.
By early next year, financial services firms and their technology suppliers will have to ensure compliance with the EU’s upcoming new law, known as DORA. Digital Operational Resiliency Act.
CNBC breaks down what you need to know about DORA, including what it is, why it matters and what banks are doing to ensure they’re prepared.
What is Dora?
DORA requires banks, insurance companies and investments to strengthen IT security. EU regulations also aim to ensure the financial services industry is resilient in the event of severe disruptions to operations.
Such disruptions could include a ransomware attack that shuts down a financial firm’s computers, or a DDOS (distributed denial of service) attack that forces a company’s website offline.
The regulations are also intended to help businesses avoid major power outages, such as The last historic IT crash months caused by internet companies mass strike When a company releases a simple software update Forcing Microsoft’s Windows operating system to crash.
Multiple banks, payment companies, and investment firms—from JPMorgan and Santanderarrive visa and Charles Schwab — Service unavailable due to power outage. It took several hours for the companies to restore service to consumers.
In the future, such incidents will fall under the category of service interruption and will face scrutiny under upcoming EU rules.
Mike Sleightholme, president of fintech firm Broadridge International, noted that a standout element of DORA is that it not only looks at the steps banks are taking to ensure resilience, but also keeps a close eye on businesses’ technology suppliers.
Under DORA, banks will be required to conduct rigorous IT risk management, incident management, classification and reporting, digital operational resilience testing, information and intelligence sharing related to cyber threats and vulnerabilities, and measures to manage third-party risks.
Companies will be required to assess the “concentration risk” associated with outsourcing critical or significant operational functions to outside companies.
Joe Vaccaro, general manager of ThousandEyes, a network quality monitoring company owned by Cisco, said these IT vendors often provide “critical digital services” to customers.
“These third-party providers must now become part of the testing and reporting process, which means financial services firms need to adopt solutions that help them discover and map these sometimes hidden dependencies with providers,” he told CNBC.
Banks must also “expand their capabilities to ensure that the delivery and performance of digital experiences encompass not only the infrastructure they own but also the infrastructure they do not own,” Vaccaro added.
When does the law apply?
DORA comes into force on January 16, 2023, but EU member states will not implement the rule until January 17, 2025.
The EU is prioritizing these reforms as the financial sector increasingly relies on technology and technology companies to provide vital services. This makes banks and other financial services providers more vulnerable to cyberattacks and other incidents.
“There’s a lot of focus on third-party risk management right now,” Sleitholm told CNBC. “Banks use third-party service providers to build significant parts of their technology infrastructure.”
“Extended recovery time goals are an important part of this. It’s really about technical security, with a particular focus on cyber security recovery from cyber incidents,” he added.
Many EU digital policy reforms over the past few years have tended to focus on the obligations of companies themselves to ensure that their systems and frameworks are robust enough to prevent damaging incidents, such as hackers or unauthorized individuals and entities losing data.
For example, the European Union’s General Data Protection Regulation (GDPR) requires companies to ensure that their processing of personally identifiable information is done with consent and that adequate safeguards are in place to minimize this The possibility of leakage or leakage of such information.
DORA will be more focused on banks’ digital supply chains – representing a new and potentially uncomfortable legal dynamic for financial firms.
What happens if the company doesn’t comply?
EU authorities will have the power to impose fines of up to 2% of global annual revenue on financial companies that violate the new rules.
Individual managers may also be held responsible for violations. Sanctions against individuals within financial entities may be up to €1 million ($1.1 million).
For IT vendors, regulators can impose fines of up to 1% of global average daily revenue for the previous fiscal year. Companies may also be fined daily for up to six months until they achieve compliance.
Third-party IT companies deemed “critical” by EU regulators could face fines of up to 5 million euros, or up to 500,000 euros in the case of individual managers.
This is slightly less stringent than laws such as GDPR, under which companies can be fined up to €10 million ($10.9 million), or 4% of their annual global revenue, whichever is greater.
Carl Leonard, cyber security strategist for Europe, the Middle East and Africa at security software company Proofpoint, stressed that criminal sanctions may differ in different member states, depending on how each EU country applies the rules in its own market.
Leonard added that Dora also called for the “principle of proportionality” to be followed when imposing penalties for breaches of legislation.
This means that any response to a legal misstep must balance the time, energy and money companies spend on enhancing internal processes and security technology against the importance of the services they provide and the materials they are trying to protect.
Are banks and their suppliers ready?
Stephen McDermid, EMEA chief security officer at cybersecurity firm Okta, told CNBC that many financial services companies have prioritized leveraging existing internal operational resiliency and third-party risk programs to comply with DORA and “identify any gaps they may have.”
He added: “The purpose of DORA is to bring the many existing governance schemes into line and harmonize them across the EU under a single supervisory authority.”
Fredrik Forslund, vice president and general manager of international divisions at data cleansing firm Blancco, warned that while banks and technology vendors have made progress in complying with DORA, there is still “work to be done.”
On a scale of 1 to 10, with 1 being non-compliant and 10 being fully compliant, Forslund said, “We’re at a 6 right now and we’re working towards a 7.”
“We know we have to get to 10 by January,” he said, adding, “Not everyone is going to get there by January.”
