Financial institutions cannot say that they have not been warned. DORA came into force last January and will apply from January 2025. But as Rob Dartnall, CEO of SecAlliance writes in an opinion piece for RBI, DORA is not new.
What is DORA?
DORA combines a lot of the existing regulations, guidelines, and common practices that were already in place, especially for banks. Guidelines and regulations relating to digital operational resilience and cyber resilience are currently contained within numerous pieces of law, regulations and supervisory practices. DORA brings everything together in one piece of legislation. The aim is to reduce complexity and confusion. And to set out what is expected of the financial sector in the field of digital operational resilience.
Summarise DORA in one sentence
It is an attempt to ensure that businesses are resilient enough to withstand a cyber-attack by improving the resilience of both individual entities and the sector as a whole to bolster financial stability.
How will DORA be monitored?
In a word: rigorously. This is no box-ticking exercise. DORA will be policed with much greater diligence than existing disparate regulations. Ongoing assessments of compliance will take place at regular intervals.
Why is there a need for DORA?
Rather stating the obvious, financial institutions are increasingly under threat from cyber-criminals. Financial institutions corporate and customer data is an attractive prospect for criminals. Any breach is hugely damaging for public confidence in financial institutions. And again, to state the obvious, hugely damaging to the financial institutions impacted in terms of financial loss, adverse publicity and the time taken to recover from any breach.
What does DORA cover?
Companies need to know that DORA covers Information and Communication Technology (ICT) risk management, ICT-related incident reporting, digital operational resilience reporting, ICT third-party risk and information sharing.
How well do you really know your competitors?
Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.
Your download email will arrive shortly
Not ready to buy yet? Download a free sample
We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below formBy GlobalData
Within financial services, what sectors will be covered by DORA?
The quick answer is think of a sector and it is impacted. So, banks and credit institutions are covered by DORA. The same applies to payment institutions, e-money institutions and asset management. And it also covers issuers of crypto assets, insurers and reinsurers.
Dartnall adds: “It also addresses critical third-party service providers, such as the big cloud service providers like Amazon and Google. Today, more and more financial entities rely on cloud service providers, especially the larger ones.”
What happens next?
The European Supervisory Authorities draw up warning and recommendations for risk mitigation in the financial sector. It is affiliated with the European Central Bank so is well placed to refine the regulatory and technical standards to be applied.
What should financial institutions be doing?
In brief, act now and not wait until January 2025. DORA is likely to provide a ready source of new commissions for leading IT consultancies. One such consultancy, Northdoor, summarises neatly some of the steps that financial institutions need to take.
AJ Thompson, Chief Commercial Officer at Northdoor, says: “Companies need to start to work now in order to ensure that they are ahead of the game. This is after all about ensuring resilience in the face of an increasingly sophisticated threat. It can only be a good thing for the financial sector to ensure the right processes are in place sooner rather than later.
“Depending on the size and perceived risk of cyber-crime to the organisation financial companies have between a year and two years to ensure adherence to DORA. Although companies should have many of the elements of already in place, the scope, regularity of scrutiny and the potential results of non-adherence makes the task a daunting one for many, especially for those who have so far been unaware of the impending regulation.
“In order to ensure adherence and more importantly the ongoing adherence to the regulation, some are turning IT consultancy and cyber security specialists. Not only does this take the pressure off in-house teams but with partners able to offer whole teams of experts it means that there can be confidence that adherence is achievable.
“It is key also to remember that the whole point of DORA is to ensure that financial institutions are able to withstand a cyber-attack or IT incident. Putting in place policies and strategies that ensure adherence will as a result also ensure that companies are better protected from attack and resilient enough to carry on business even if a cyber-criminal gets through.”
What about penalties for non-compliance?
You do not want to know. Costly. The regulations are designed to ensure that impacted firms will comply. Any financial penalty might amount to the equivalent of one day of trading revenue. It gets worse. Criminal charges may be brought against companies and individuals who do not adhere to DORA.
Is there any good news?
In summary, Dartnall is upbeat. He concludes: “It’s nothing new for UK financial institutions. It won’t require a radical policy overhaul, rather some amendments.”