Our top tips for DORA compliance
With the new rules set to be applied on 17th January 2025, companies must ensure that they are ready to comply
The Digital Operational Resilience Act (DORA) has been discussed since it entered into force in January 2023. Since then, much debate has been about what the regulation involves and how it will impact the financial sector. DORA is designed to ensure that the financial sector is better prepared and resilient in the face of a cyber-attack or other IT incident.
With cybercriminals upping their efforts all of the time, both in terms of regularity and complexity of their attacks and with the sector holding some of the most valuable data available, it is pretty clear why the European Union has pulled together DORA. There have been multiple examples over the past decade where financial sector organisations have been hit by a cyberattack or IT incident and have been put out of action for some time and/or lost huge amounts of data. DORA is designed to bring some level of consistency to the security and resilience practices across the financial sector.
Despite having two years to prepare for DORA’s application, some firms still have much work to do due to the scope of the task. It also appears that the regulation will be actively policed, imposing severe consequences on directors of firms that neglect to ensure cyber and data robustness.
With just months remaining until DORA is applied, what can firms in the financial sector do to ensure compliance?
Buy-in from staff and stakeholders
The key to any change in protocol or policies within businesses is to ensure that the employees are fully engaged and up-to-speed with what is required. This allows them to give feedback on how the changes impact the department.
Without staff on board, making adherence an integral part of the day-to-day business is impossible. This ‘industrialisation’ of the compliance process means businesses can ensure that they adhere to regulations. Specific team members have a better idea of their department’s risks and the day-to-day impact of changes. This is preferable to an individual or team that sits outside of the department and is somewhat second-guessing where vulnerabilities might lie.
It also means that staff feel they can bring up issues that any changes are having on their specific department. This should include all staff members, no matter their seniority. Cybercriminals will always pick the route of least resistance, and this is usually employees. By engaging with your team and explaining the threats and how to better deal with them, companies can help move towards adherence. Most importantly, they can keep cybercriminals out.
Treating compliance as an ongoing process
Adherence to regulation often requires a lot of effort, and once it is secured, there understandably tends to be slight relaxation and a ‘job-done’ attitude. However, regulatory compliance should not be considered a tick-box exercise but an ongoing process.
DORA, in particular, appears to be constantly policed, meaning new threats must be countered as soon as they appear. The nature of the threat facing the financial sector means it constantly evolves, and companies must do the same with their adherence. By making the process part of the day-to-day business (as explained above), businesses can be more confident that they are continually reviewing and amending their processes and, therefore, more likely to adhere to regulations.
Regular process assessments and testing of policies and technology will be crucial to remaining DORA compliant.
Third-party security
Financial sector organisations have had to invest heavily in front-line defences in the face of an increasing threat from cybercriminals. In many cases, a large amount of software and technology protects sensitive data and keeps it out of the hands of criminals.
However, with such defences in place, cybercriminals are turning to new ways of gaining access. One method we are increasingly seeing is cybercriminals gaining access via third parties with links to their primary target.
This could be any supplier and not necessarily anything linked to technology. By entering via the ‘back-door’, they negate any budget spent by the financial sector company on their defences.
Therefore, as part of the DORA compliance, organisations must ensure that their partners’ and suppliers’ defences are as rigid as their own. DORA will look at all aspects of resilience and vulnerabilities within supply chains and form part of the compliance process.
Understanding security across your supply chain will be critical to DORA adherence.
Documenting all actions
With DORA likely to be well-policed, documenting any actions taken during the adherence process will be crucial. This is not like other regulations, where there is a one-off check. It is likely to be ongoing, with regulators’ check-ins coming regularly. Therefore, ensuring that there is a running record of the actions taken to enhance operational resilience will be important.
This could be records of any risk assessments, incident reports, and actions taken as a result. This will have two results. Firstly, it will demonstrate your regulatory compliance and provide an opportunity to create a comprehensive record of the organisation’s cybersecurity and IT resilience efforts.
Bring in the experts
DORA compliance and ongoing cyber defence seem daunting prospects, especially in a highly regulated sector such as finance. With IT teams struggling to keep up with the day-to-day work alongside the regulatory requirements, some in the financial sector are turning to consultancies that can provide the expertise to help with adherence.
This takes the pressure off internal teams and reassures senior executives that compliance is in hand. Importantly, it also means that any cyberattack or IT incident can be quickly dealt with, keeping data safe and adherence on track.
For more information on DORA compliance tips, please contact us for a free assessment.