By Andre Troskie, EMEA Field CISO, Veeam
The financial service industry is no stranger to stringent regulation. Unlike other sectors that have scrambled to comply with legislation such as NIS2, FS organizations are comparatively pretty diligent when it comes to data resilience and cybersecurity. Having operated under some of the strictest regulatory standards for some time, for most, DORA compliance should be manageable – for internal operations that is.
Despite the confidence that many FS organizations likely have in their ability to comply with DORA audits and reporting, they can’t afford to take their eyes off the ball. DORA compliance extends beyond internal procedures, covering third-party service providers as well. It’s here where most organizations risk tripping up in the initial stages of DORA enforcement. With consequences ranging from significant fines to brand and reputational damage, it’s an issue that organizations can’t afford to overlook.
Well prepared?
Unlike other sectors that also have to comply with NIS2, financial services organizations by necessity are typically further ahead of the curve when it comes to regulatory compliance. For many, DORA’s requirements will have been about building on (and proving) the strength of the foundations already in place. The main focus on DORA for financial services will likely instead be on operational resilience testing, ensuring internal awareness of different scenarios and their risk impacts.
Most financial institutions and banks will have felt confident in their scenario-based testing and, by extension, their compliance with DORA when the deadline passed this January. And if the scope of DORA didn’t cover beyond internal organization compliance, they would be right. Unfortunately for most, DORA extends to cover all of an organization’s third parties and supply chains – creating the risk of a pretty large potential blindspot.
Time to put the work in
Financial services organizations can do all the work they want ensuring internal compliance to DORA but unless their third-party and supply partners are also compliant, they will fail regardless. And these are no small stakes. According to EY’s Global Third-Party Risk Management Survey, in the US alone, 98% of financial services organizations have partnerships with third-party vendors. Although they may not realize it, third parties are one of the biggest risks to FS organizations when it comes to DORA compliance.
Sadly, there is no quick fix. At the very minimum, every bank and financial institution in every EU Member State that falls under DORA is going to have to renegotiate many Service Level Agreement (SLA) with existing and new third-party partners. Financial services organizations can’t afford to be under any illusions, this will be a necessary but significant piece of work. Cementing DORA compliance as a pre-requisite will be essential for continued DORA compliance but will require collaborative work from across businesses. Security, risk management, and legal teams will all need to band together to pull this off.
DORA’s double-duty for data resilience
Of course, even having DORA compliance confirmed amongst your third-party providers won’t make your organization completely invulnerable to cybersecurity threats. But, it will put you in good stead when it comes to recovering from an attack. After all, regulatory compliance has never equaled complete security. DORA is more of an exercise in operational resilience improvement, which is a key piece of the puzzle for recovery from cyber attacks.
But this doesn’t mean that compliance should be an afterthought. For financial services organizations to achieve compliance with DORA and secure their third parties, they’ll need to dedicate around-the-clock attention. It’s not a one-and-done deal, it will be a reiterative and continual process to achieve compliance consistently across all providers. That is if they want to avoid the chaos that 11,000 Starbucks stores dealt with when their third-party cloud provider was taken out by a ransomware attack last winter.
Sure, it’ll require a significant amount of resources to completely map out all of your third-party providers and introduce those contractual safeguards, but it’ll serve double duty. Not only will you ensure compliance, but you’ll also cement robust data resilience as a backbone of your organization’s incident response plans. Last year alone, the cost of downtime for financial services organizations was $152 million. So, if the worst does happen, you’ll want to be able to bounce back as quickly as possible or face adding to that number this year.
There are of course other benefits to compliance, primarily the avoidance of any consequences. DORA in particular comes hand in hand with European Supervisory Authorities (ESAs) that will regularly check for compliance and hand down any relevant repercussions. For financial services, if their external critical software providers don’t comply in time, they could face anything from a fine of 2% of their annual turnover to criminal charges.
So yes, DORA compliance can’t bulletproof you against every threat out there, but being able to prove that everything is in place and that it all works within the defined time frames, will set you up to recover as swiftly as possible from cyberattacks. And, perhaps more prudently, it’ll prevent you from incurring any of the severe consequences attached to non-compliance. Organizations need to step it up a notch when it comes to DORA compliance and, most importantly, ensure their third parties are along for the ride.
