Strengthening Financial Services: Embracing the Digital Operational Resilience Act (DORA) for Cybersecurity Resilience
By Boris Khazin, Head of Governance, Risk & Compliance at EPAM Systems, Inc.
While concerns about market volatility, liquidity management and fintech disruption are among the many challenges financial services organizations must carefully navigate, operational resilience and cybersecurity emerge as the two most significant non-financial risks they face today. The real-world after-effects of cyber-intrusions in the financial sector extend far beyond the balance sheets; they place personal data in the crosshairs of nefarious actors, potentially compromise financial accounts, and put the stability of entire organizations in serious jeopardy. Recognizing the tremendous impact of these consequences, international legislation and regulations are finally coming into play.
How We Got Here
An examination of insurance claims reveals that cyberattacks are the leading cause of value loss within the financial sector, a jarring indicator of the overall urgency of the situation. A combination of factors, including the COVID-19 pandemic, the unstoppable shift toward digitization and the global acceptance of remote work, have set the stage for an all-out digital crime wave. The ensuing threats to operational continuity range from cyberattacks and systemic failures to data theft and ransomware, not to mention the reputational harm financially inflicted on victimized financial institutions.
The Digital Operational Resilience Act (DORA): A Beacon of Hope
In response to the havoc wreaked by cyber thieves, a new regulatory framework out of the European Union (EU) aims to deliver financial institutions some much-needed peace of mind. Dubbed DORA for short, the Digital Operational Resilience Act explores ways to bolster the standards of digital resilience frameworks, with a particular focus on the way companies document cybersecurity incidents and manage third-party risks associated with information and communication technologies (ICT).
Officially adopted by the European Council last November, DORA urges organizations to implement comprehensive strategies to identify and effectively mitigate vulnerabilities. The legislation also stresses the significance of ICT incident reporting and advocates for the prompt reporting of cybersecurity incidents to allow for swift responses and containment measures.
DORA additionally mandates digital operational resiliency testing be conducted to ensure that systems have the appropriate security mechanisms in place to withstand cyberattacks and operational disruptions. Collaborative efforts in information and intelligence sharing are highly encouraged, as collective threat intelligence is a potent weapon in the battle against cyber adversaries.
Finally, ICT third-party risk management is a non-negotiable under DORA. As such, third-party providers must adhere to the same stringent cybersecurity standards as financial institutions to safeguard the integrity of the entire ecosystem.
An International Standard
Intent on becoming the global benchmark for operational resilience in the financial services industry, DORA has implications that extend far beyond Europe, addressing major challenges financial institutions face in protecting critical data and services for consumers around the world. The need for enhanced resilience is especially relevant in light of incidents such as the SolarWinds breach, which exploited vulnerabilities in third-party software. With its comprehensive approach to cybersecurity, DORA underscores the vital need for increased scrutiny of external partners.
Best Practices for Resilience
Along with the EU Cybersecurity Act, Cyber Resilience Act, NIS 2 and General Data Protection Regulation (GDPR), DORA is one of many upcoming EU measures designed to enhance the security and stability of operations in the financial services sector. But legislation alone will not guarantee the end of cybercrime as we know it. To minimize exposure to cybersecurity risks, financial institutions can adopt these best practices:
- Individual Awareness: Provide full-bodied training and resources that empower employees to securely operate their systems.
- Systems and Platform Security: Establish a process of diligently and consistently reviewing and enhancing security capabilities. Implement Zero Trust tenets, including practicing the least privilege principle, breaking work into smaller units, always verifying access and implementing micro-segmentation, among others.
- Ensure Business Continuity: Prioritize areas that could disrupt operations to maintain seamless functionality.
The Road Ahead
While financial institutions grapple with issues surrounding cybersecurity and operational resilience, DORA offers a holistic framework to address these matters with an emphasis on incident reporting, third-party risk management and collaborative threat intelligence sharing. The financial sector must also adopt and enact best practices, including promoting individual awareness, securing systems and making business continuity a top priority. Through this combination of regulatory compliance and proactivity, financial organizations can ensure the security of their operations and the trust of their customers.
About the Author
Boris Khazin is Global Head of Digital Risk Management/Governance, Risk and Compliance at EPAM Systems, where he is passionate about providing solutions that deliver business value and exist at the intersection of people, processes and systems.
Mr. Khazin has more than 20 years of management, consulting and product development experience in the financial services and fintech sectors. During his tenure at EPAM, he has led several GRC, business intelligence, enterprise analytics and organizational capability/maturity assessments to help clients identify, define and prioritize frameworks that guide them toward a desired future state. From this, he has developed a keen understanding of opportunities and challenges that arise when organizations adapt to change. Previously, Mr. Khazin worked at multiple financial firms, including UBS, S&P and Bloomberg. He was also an Investment Oversight Officer at TD Ameritrade.
Mr. Khazin has a Bachelor of Science in Behavioral Economics from Pennsylvania State University and an MBA from Pace University.