Formalising resilience: FIs prepare for DORA
March 2023 | FEATURE | BANKING & FINANCE
Financier Worldwide Magazine
March 2023 Issue
Cyber attacks are a constant threat across the financial services (FS) sector – a threat once estimated by the Boston Consulting Group to be 300 times greater for financial institutions (FIs) than other companies.
The reason, as succinctly stated by the Center for Strategic and International Studies, is obvious: the FS sector is where the money is, and for cyber criminals, attacking the sector offers multiple avenues for profit through extortion, theft and fraud, while nation states and hacktivists also target the sector for political and ideological leverage.
In the UK, according to the Bank of England’s ‘Systemic Risk Survey Results 2022 H2’, cyber attacks are the biggest risk to the UK financial system. The survey, which polled 65 executives in the UK FS sector, reveals that 74 percent of respondents deem a cyber attack to be the highest risk in both the short and long term, followed closely by inflation or a geopolitical incident.
In addition, the number of respondents who believe their company is at high risk of attack grew rapidly in 2022, from 31 percent in the first half of the year to 62 percent in the second.
“The ever-increasing digitalisation of finance, the growing interconnectedness across FIs and third parties, and the higher number of cyber security threats bring about the need for FIs to appropriately strengthen their resilience against cyber attacks as well as potential ICT vulnerabilities,” summarises James Delaney, director of asset management regulation at the Alternative Investment Management Association (AIMA). “FIs of all sizes need to develop their own ‘security culture’ and continually enhance their cyber hygiene.”
Furthermore, there are numerous reasons the cyber security field is growing. In its November 2022 analysis ‘Cyber-attacks on Banks Devastate the Financial Sector’, Sangfor outlines specific factors, outlined below, that have made this vulnerability all the more accessible.
First, rapid digitalisation. The modern age of technology is all about convenience and automation. Everyone needs everything done immediately through faster, more accessible channels. Unfortunately, in the rush to digitalise and improve banking capabilities for clients, the FS sector has inadvertently placed a much bigger vulnerability target on its back.
Second, cloud adoption. The cloud has always been a drastic shift for most industries and the FS sector is no different. Cloud computing has revolutionised the sector and made extensive leaps in providing cost-effective and efficient IT infrastructure solutions for many companies.
Third, remote working. During and after the coronavirus (COVID-19) pandemic, many FIs have opted to shift toward remote or hybrid working models – allowing employees to work from home. This was seen as an optimum way to ensure maximum efficiency while still cutting on the costs of office environments.
Lastly, weak cyber security. Naturally, a vulnerable IT infrastructure will put FIs’ entire network in jeopardy. FIs are often placed under pressure from governments and data protection groups to enact advanced cyber security measures, yet few do.
Overall, it is a mixture of all these factors that has led to the FS sector becoming an accessible target for cyber criminals and it helps to know exactly how FIs are coming under attack.
Ransmomware
One of today’s most disruptive forms of cyber attack is that of ransomware, an extortion software that can lock computers and then demand a ransom for their release. According to Sophos’ ‘The State of Ransomware in Financial Services 2022’ report, ransomware attacks against FIs have escalated rapidly over the past year.
Among the report’s key findings are: (i) ransomware attacks on the FS sector have increased, with 55 percent of FIs hit in 2021, up from 34 percent in 2020; (ii) 52 percent of FIs paid a ransom to restore data; (iii) the amount of data restored by FIs has remained constant at 63 percent across 2020 and 2021; (iv) the rate of ransom payment by the FS sector more than doubled, up from 25 percent in 2020 to 52 percent in 2021; and (v) the average remediation cost in the FS sector is $1.59m, which is above the global average of $1.4m.
“The ransomware challenge facing FS sector organisations continues to grow,” states the report. “The proportion of organisations hit by ransomware has increased considerably in 12 months, with cyber criminals succeeding in encrypting data in over half of the attacks.”
Thus, in the event of a cyber attack (be it ransomware or any other attack vector), it is essential that FIs respond quickly. Such requisite action is soon to be formalised with the advent of the European Union’s (EU’s) new Digital Operational Resilience Act (DORA).
Background to DORA
First proposed by the European Commission (EC) on 24 September 2020, DORA is part of a larger digital finance package which aims to develop a European approach that fosters technological development and ensures financial stability and consumer protection.
In addition to the DORA proposal, the package contained a digital finance strategy, a proposal on markets in cryptoassets (MiCA) and a proposal on distributed ledger technology (DLT).
Moreover, the package bridges a gap in existing European Union (EU) legislation by ensuring that the current legal framework does not pose obstacles to the use of new digital financial instruments and, at the same time, ensures that such new technologies and products fall within the scope of financial regulation and operational risk management arrangements of firms active in the EU.
“The concept of resilience is not new in Europe,” asserts Alexandre Castaing, managing partner at Axon Advisory. “Following the global financial crisis, regulators realised that bank capital requirements, while useful for bankruptcy, were not good enough to address disaster on a large scale, the so-called insolvency domino effect.
“This led the Committee on Payments and Market Infrastructures (CPMI) to issue a set of guidance on cyber resilience for market infrastructure,” he continues. “Next came the European Banking Authority (EBA) with guidance on information and communications technology (ICT) and security risk to address digital risk in a more comprehensive way.”
Collectively, such initiatives added momentum to efforts to enhance regulation on digital resilience and ultimately opened the door for DORA – the first piece of legislation at the European level to address the topic of digital operational resilience for the FS sector.
Requirements under DORA
DORA covers a broad range of entities. Those within its scope are FIs, cryptoasset service providers and issuers, central securities depositories, central counterparties, trading venues, managers of alternative investment funds and management companies, data reporting service providers, insurance and reinsurance entities, as well as ICT service providers, including big tech, that serve FIs.
“A firm’s size and overall risk profile, and the nature, scale and complexity of their services, activities and operations should be taken into account when crafting new rules and regulations,” opines Mr Delaney. “We advocated for a more risk-based approach to be adopted, which means tailoring the proposed requirements of the Act to a firm’s size, systemic importance, complexity and risk profile. The FS sector covers a number of different markets, with widely differing characteristics in terms of services provided and client requirements.
“Firms will also need to balance the objective of maintaining a high digital operational resilience, the available resources and their overall risk profile,” he continues. “A proportionate approach will help to ensure that the EU remains an attractive jurisdiction for companies to invest and play a key role in supporting greater technological innovation in financial services.”
Drilling down, DORA sets uniform requirements for the security of network and information systems of companies and organisations operating in the financial sector as well as critical third parties which provide ICT-related services to them, such as cloud platforms or data analytics services.
The Act also creates a regulatory framework on digital operational resilience whereby all FIs need to ensure they can withstand, respond to and recover from all types of ICT-related disruptions and threats – requirements that are homogenous across all EU member states. The core aim is to prevent and mitigate cyber threats.
In addition, DORA sets the bar quite high in terms of resilience testing. “Security testing will be required on a periodic basis, whether the application is exposed to the internet or not,” suggests Mr Castaing. “The regulator will also be able to request threat intelligence-led security testing. This means testing defences using offensive techniques to break in.”
Expected impacts of DORA
With DORA scheduled to go live within 24 months (in late 2024 or early 2025 at the latest), all in-scope firms have a clear timetable by which to plan its implementation, allowing them to prepare well in advance and ensure they have a seamless incident response and recovery plan in place.
Moreover, providing some incentive to comply with the Act are the risks associated with non-compliance, which include no cap on penalties for FIs and up to 1 percent of the average daily worldwide turnover for critical ICT third-party service providers.
“DORA implementation will probably vary depending on player maturity,” contends Mr Castaing. “The pace to comply is a matter of supply and demand and I expect FIs will increasingly demand from their suppliers a proper digital operational resilience plan well before DORA goes live.
“Even if there is a proportionality principle backed in the regulation, it might be difficult for small or new players,” he continues. “We can expect in the coming months a rush to perform a gap analysis and challenges ahead to define a reasonable DORA compliance programme.”
Certainly, it is likely that some of DORA’s requirements, such as the ICT risk management framework and a digital resilience strategy, will take firms additional time to develop and implement as well as require training or the hiring of new staff members.
“FIs will need to make some progress toward becoming compliance ready for the effective date in late 2024 or early 2025,” concludes Mr Delaney. “If recent months and years have reinforced anything in the area of operational resilience, it is the fact that the wide and constantly evolving variety of potential business disruptions calls for a detailed breadth of planning and preparation, particularly when it comes to ICT risk management.”
© Financier Worldwide
BY
Fraser Tennant