System disruptions, cyberattacks, phishing, smishing: these are all examples of the serious threats posed daily to businesses, financial institutions and the public, all growing in both sophistication and impact.
In 2021 a single ransomware attack on the Health Service Executive cost the Irish taxpayer some €100m directly and will ultimately see well over €500m spent in additional cybersecurity measures. A recent survey by Vodafone and Microsoft estimated that cyberattacks have cost Irish SMEs a collective loss of €2.3bn since 2019, while the Banking and Payments Federation Ireland notes that text message scams (smishing) attacks cost victims an average of €1,700 each in the first half of 2022, with invoice fraud costing companies an average of €14,000.
Cyberattacks are ‘now the most significant threat that investment banks face’
The threat to financial security at an institutional level is no less severe. According to IT service provider Agio, cyberattacks are ‘now the most significant threat that investment banks face’, while the European Commission and the European Investment Bank have warned of the need for a fresh approach to keep pace with counterparts in the US, Israel and China. A recent report by McKinsey identified a particular need for banks to take ‘an effective approach to model risk management of cybersecurity solutions’.
Fresh approach
Yet, in a landscape fraught with risk, the finance industry’s response has often lacked a unified response, with IT safeguards typically only as good as each organisation’s investment in them. It was not until 2015 that the Irish government introduced a national cybersecurity strategy, while the banking sector has only recently come to recognise the value of a public education strategy in alerting consumers to the risks of online fraud.
One notable aspect of the act is the inclusion of ICT service providers
In 2020 the European Commission set out a fresh approach to the challenge with the publication of the Digital Operational Resilience Act (DORA), which came into force last November. A key element of the commission’s wider digital finance strategy, DORA is designed to bring about a harmonised, excellence-based approach to cybersecurity across the EU by setting out uniform and exacting requirements for network and information systems security in businesses working in the financial sector. Any expectation of a box-ticking exercise is quickly rebuffed by the act’s remit, which includes areas such as ICT risk management, incident reporting, resilience testing and third-party risk management.
Key obligations
Under the Digital Operational Resilience Act, financial entities must address:
- Adopt a comprehensive ICT risk management framework and governance.
- Use a streamlined procedure to log, classify and report major incidents to authorities.
- Perform digital operational resilience testing assessments, such as vulnerability and network security, on a regular basis.
- Regularly assess the risks coming from third-party service providers.
- Ensure the exchange of cyber threat intelligence within the sector.
Source: KPMG
Describing the legislation as ‘the EU’s most important regulatory initiative on operational resilience and cybersecurity in financial services’, Donal Murray, a digital risk partner at Deloitte, sees implications far beyond the IT department: ‘DORA will require firms to adopt a broader business view of resilience, with accountability clearly established at the senior management level,’ he says.
Third-party focus
One notable aspect is the inclusion of ICT service providers, such as providers of cloud services, among those required to meet DORA’s technical standards. This has been described as a ‘world first’ for legislation like this and will put an onus on financial firms to ensure that their service suppliers are aware of both their responsibilities and of potentially significant direct penalties in cases of non-compliance. That compliance and enforcement of penalties will be placed in the hands of a competent national authority, which will be set out when the act is drafted into Irish law.
‘As supervisors’ own understanding of operational resilience increases, so too will their demands for firms’
Significant as these developments are, Matthew Green, director of regulatory consulting at KPMG, points out that ‘DORA is one of several areas of new regulation which are being developed by the EU. There will be an ongoing introduction of new cybersecurity regulation across the financial services sector that firms will need to assess and adapt to over the next several years.’
Accountants will take note of the EU statement that ‘auditors will not be subject to DORA but will be part of a future review of the regulation, where a possible revision of the rules may be explored.’ However, the importance of excellence in cyber resilience can hardly be lost on any organisation with a role in finance.
Get ready for DORA
In order to prepare for the implementation of the Digital Operational Resilience Act, firms should do the following:
- Undertake a risk-based approach to establishing a range of assessments, tests, methodologies, practices and tools proportionate to the business, based on its size, business and risk profile.
- Review incident reporting processes, specifically around identification, classification and root-cause analysis, to identify gaps against existing regulations and industry best practices.
- Assess the services provided by third-party providers to determine if they should be subjected to additional layers of governance and oversight.
- Review current scope and coverage of operational resilience testing procedures, including threat-led penetration testing frameworks.
Source: Grant Thornton
Shared responsibility
In terms of preparing for DORA, Green says that digital resilience needs to be recognised as a shared responsibility, with the scoping out of strategic priorities in its operational resilience programme an important first step. ‘Firms need to understand the application, interpretation and expectation of DORA; perform a gap assessment versus those expectations; confirm these gaps are correct; and build a remediation roadmap against this,’ he says.
DORA won’t mean every battle is won, but it should mean that no one loses through being the weakest link
Time will not be a luxury in this process. ‘By Q4 2024, the relevant financial services supervisors will expect firms to be in full compliance with all of the DORA’s new requirements,’ Murray says, pointing to lessons from similar legislation in the UK. ‘As supervisors’ own understanding of operational resilience increases, so too will their likely demands for firms.’
‘The growing burden of regulatory compliance’ is a phrase often trotted out in discussions around the future of the finance sector. Though DORA will certainly place fresh demands and heightened accountability on firms in the coming years, few would argue that it is anything but a necessary next step in the fight against cybercrime. DORA won’t mean every battle is won, but in an environment where the industry is always on the defensive, it should mean that no one loses through being the weakest link.
