Industry
Banking
Banking Services Transformation: Unlocking Exponential Value
Solution
Consulting
TCS Consulting Services to Achieve Success in the Digital Era
Highlights
- The Digital Operational Resilience Act (DORA) will strengthen the cyber security posture of financial firms in the EU by helping them adopt a standardized cybersecurity framework.
- Implementing DORA guidelines is expected to help firms reduce regulatory compliance costs and withstand security incidents.
- The regulation will also enhance sharing of intelligence regarding cyber threats between trusted communities of financial institutions within the EU.
On this page
On this pageinpage
Introduction
The Digital Operational Resilience Act (DORA) is expected to strengthen the cyber resilience of financial firms in the EU.
It will help them standardize their cybersecurity framework and aid in resisting, monitoring, and responding to cybersecurity attacks to minimize business disruptions. Further, it will expedite resumption of business-critical operations after a major cyber incident. Compliance with DORA will require financial institutions to change the way they currently operate, with senior management becoming more active stakeholders in enhancing cyber maturity and preparedness. This regulation focusses on incident management and reporting, continuous monitoring of third-party vendors, business continuity, disaster recovery, and regular independent audits from competent professionals. Adherence to DORA requirements will entail continuous monitoring and periodic assessments by financial firms.
The proliferation of digital transformation programs has increased cyberattacks globally. At the same time, there has been an inadequate adoption of cybersecurity frameworks. In this scenario, an emphasis on protecting customer trust, increased administrative costs, and a uniform approach for notifying cybersecurity incidents are key drivers for the emergence of DORA. The legislation simplifies existing inconsistencies in cybersecurity deployment and operation and information sharing.
Prerequisites for DORA
In an enterprise, the deployment of new initiatives such as DORA will require senior management support and an adequate budget.
The organization will also be required to develop a governance framework and business oversight process to ensure that it reduces any damages due to internal and external cybersecurity threats. Figure 1 illustrates a set of prerequisites for the successful deployment of DORA.
Figure.1 - The prerequisites for implementing DORA in an organization
Regulatory goals
The primary objectives of any financial institution are operating critical business services and minimizing downtime.
Additionally, financial institutions aim at establishing trust among customers, stakeholders, vendors, and business partners. DORA has prescribed a set of goals that are compatible with organizational objectives. These have been depicted in Figure 2. Operational resilience is not achieved in organizations in a short period of time. It requires a dedicated approach to deploying business process documents and standards and implementing adequate IT governance, risk, and compliance (IT GRC) controls. It also mandates monitoring these controls, remediating them, documenting the lessons, and improving business processes over the long term. DORA recommends a single set of rules for financial institutions across the EU.
Figure 2. - The goals of the Digital Operational Resilience Act
Taking the first steps
The senior management of financial institutions must approve the assessment and implementation of DORA.
The first set of activities will include examining a list of business processes and policy documents, creating standards and standard operating procedures, and performing gap assessments against DORA’s requirements. Figure 3 illustrates the initial document assessment phase and matrix document mapping documents against DORA requirements.
Figure 3. - The mapping of business process document validation and DORA requirements
In our view, the critical domains to be assessed for DORA are represented in Figure 4.
Figure 4. – The six key domains of DORA
Cross execution hurdles
Under DORA, financial institutions in the EU will be required to deploy a standardized cybersecurity framework.
This will reduce compliance costs and help financial institutions withstand security incidents. It will enhance voluntary sharing of information and intelligence regarding cyber threats between trusted communities of financial institutions within the EU.
DORA will be binding in its entirety for all EU member states. However, financial institutions may face challenges in obtaining adequate budget allocations from the executive management to implement the guidelines of the legislation. Financial organizations are facing stringent timelines to introduce the mandatory obligations required by regulators as part of their DORA-preparedness. In this scenario, they must replace manual assessments with an automated approach to bring consistent methodology, resilience, and a quick recovery from cyber threats. Implementing DORA across various branches of financial entities using a centralized approach will be challenging. Once the gap assessment is completed, financial institutions must mitigate the identified gaps and ensure timely completion of remediation and mitigating measures within the adoption period. Institutions identified by European authorities must undergo advanced penetration testing by competent cybersecurity staff. During this exercise, mimicking real-life threat actors attacking critical services on an active production operational environment is a major requirement of DORA.
The way forward
Developed countries and a major part of developing nations have defined their own cyber resilience frameworks.
They have taken this action to protect critical infrastructure and enable financial service firms to detect and respond to emerging cybersecurity threats. DORA requirements will provide additional guidance to other countries for enhancing their cyber resilience capabilities. It will help them protect information and communication technology (ICT) systems and enhance the trust of customers in financial services. It is essential for financial institutions in the EU to continuously look out for any amendments to DORA and implement them. DORA is not a one-time engagement. It will be an ongoing exercise and will require periodic review, annual testing, continuous monitoring, and continuous improvement on the part of financial services firms.
