A DORA Regulation overview – part 1: the cyber landscape and risk management
Interviewer introduction
I’ve been looking at the public data set on the ICO website [Information Commissioner’s Office], digging into the numbers. I wanted to find out whether the financial sector – quite a heavily regulated sector that clearly holds a lot of sensitive data – was, as one might expect, securing its data better than your average UK organisation.
I was pleased to see the total number of [reported] data breaches decreasing between 2019 and 2022 in this sector: from 855 in the last three quarters of 2019 [the ICO data starts from Q2 of 2019] to 648 in the same period of 2022 – a 24% drop.
However, I was startled to see the sharp rise in cyber incidents: from 143 in the last three quarters of 2019 to 285 in the same period of 2022. In other words, they’ve nearly doubled in just three years.
In fact, when digging further into the ICO data, I realised that the financial sector was the second-most attacked sector in the UK in 2022, topped only by the retail and manufacturing sector. The same was true in 2020 and 2021.
When I began combining that information with data from other sources, a worrying picture emerged. For instance, IBM found the average cost of a breach in 2023 to be $5.90 million [about €5.51 million] in the financial sector – 33% more than the average across all sectors.
I’m sitting down with Andrew Pattison, head of GRC [governance, risk and compliance] consultancy Europe, to discuss the cyber landscape for the finance sector, DORA [the Digital Operational Resilience Act], and what organisations need to do to meet their ICT risk management requirements.
Thank you for taking the time to talk to me today. Could you briefly introduce yourself?
No worries, of course. As you said, I’m the head of GRC consultancy at IT Governance Europe, and have more than 25 years’ experience in information security and risk management.
I also lead the company’s certified ISO 27001 training courses, and am leading product development relating to DORA. The aim is to end up with a good selection of products and services that will help meet our clients’ growing DORA requirements.
That’s great, thanks. Considering the statistics I’ve just talked you through, one can see why the EU felt it necessary to introduce DORA!
Well, those really were UK statistics, but that doesn’t change the fact that the finance sector everywhere is a very lucrative target for criminals. For example, I saw a recent Trustwave report that named various big EU-based banks that were breached or attacked, including the European Investment Bank, Deutsche Bank and ING Bank.
More to the point, the stakes are especially high in the finance sector. EU lawmakers realise all too well that when banking and other financial services are disrupted – whether by a malicious attacker, through a technical or human error, or for any other reason – people and organisations are affected, often at a cross-border level.
The simple fact is that, in today’s world, we heavily rely on critical infrastructure such as financial institutions to keep both economies and society at large running.
In turn, those institutions heavily depend on ICT, which is often outsourced to third-party service providers. It’s therefore important that not just the finance sector itself is resilient, but also its supply chain – which is, of course, precisely what DORA requires.
So what must organisations do to comply with DORA?
There are three core, practical considerations to this regulation: risk management, incident management and supply chain security. Some people refer to these as ‘pillars’. Either way, they drive the other, lower-level requirements in DORA.
However, we don’t know the specific technical requirements yet, which are set by the three ESAs [European Supervisory Authorities]. The drafts of these are due to be submitted to the European Commission by 17 January 2024, so we should know more by then.
However, DORA itself was published at the end of last year, and since it is an EU regulation, as opposed to a directive, it directly applies in member states, irrespective of whether they transpose it into national law.
Let’s focus on just risk management today. What do we already know about what organisations are required to do under DORA?
Well, Chapter II of DORA, titled ‘ICT risk management’, is divided into two sections: governance, and various elements as part of an ICT risk management framework.
To simplify the governance part, DORA makes the management body within the organisation responsible for implementing the required ICT risk management framework, and accountable for generally managing ICT risk.
The ICT risk management framework, at a high level, requires the sorts of things you’d expect for this type of framework, particularly for financial institutions: it must be strategic, documented and reviewed at least annually.
Could you elaborate on the ICT risk management framework requirements?
Again, we don’t know the specifics yet, and bear in mind that there are various exemptions or simpler requirements.
However, putting that to one side, DORA says that organisations must, among other things:
- Identify all relevant assets;
- Protect the confidentiality, integrity and availability of their ICT systems;
- Be able to detect potential network performance issues and ICT-related incidents;
- Implement a “comprehensive” ICT business continuity policy;
- Have measures to quickly restore systems and recover data in the event of a disruption; and
- Disclose “major” ICT-related incidents or vulnerabilities.
So how does the ‘strategic’ part you mentioned earlier come into this?
The digital operational resilience strategy really lies at the heart of the risk management pillar, and even DORA as a whole.
DORA was introduced to ensure that the EU financial infrastructure, considering its heavy reliance on ICT, can cope with the disruptions that seem inevitable when using anything ICT.
Ideally, that means avoiding disruptions altogether, but since that’s unrealistic in the current climate, financial institutions and their supply chain should aim for resilience instead. That means being able to quickly recover from disruptions, accidental or otherwise, and continue to provide an acceptable level of service during the recovery period.
So, a “digital operational resilience strategy” – those are the exact words of DORA and are, of course, closely aligned to the regulation’s name – is what this law requires, as is evident from various articles within it.
Could you give us some examples?
Sure. In Chapter II alone, DORA references the digital operational resilience strategy multiple times:
- Article 5(2)(d), under its governance requirements, stipulates that management has overall responsibility for setting and approving the strategy.
- Article 6(8) says that the ICT risk management framework must include a digital operational resilience strategy that sets out how the framework will be implemented, including methods for addressing risk and attaining specific ICT objectives. That paragraph is followed by a list of eight items the strategy must account for.
- Article 13(4) requires organisations to monitor the effectiveness of their strategy.
To wrap things up, what concrete actions should organisations take now?
Although DORA doesn’t apply until 17 January 2025, I think it’s a very good thing if organisations address their ICT risk management as soon as possible. The statistics you highlighted earlier speak volumes about the current landscape and trends.
Moreover, most organisations literally couldn’t do business if their ICT wasn’t working properly. For that matter, the same applies to the huge quantities of valuable data that organisations often hold – if they lost access to it, there’s every chance they couldn’t complete their day-to-day business activities as a result.
So clearly, organisations must treat their ICT-related products and services, as well as their data, like any other asset. In fact, they probably should be better protected than many other assets, in line with their value to the business.
To get to the point: track them in an asset inventory, then refer to that inventory when you identify, assess and respond to your risks.
Also, consider risks to the confidentiality, integrity and availability of the asset – something I do want to stress, as people often forget that security breaches don’t need to involve a malicious attacker.
Organisations could use the same methodology or approach they already use for other types of asset and risk management. So long as it produces consistent, valid and comparable results, it’ll work perfectly well for security purposes. Organisations may also find it useful to reference a best-practice standard like ISO 27005, which offers guidance on managing information security risks.
We hope you enjoyed this week’s edition of our ‘Expert Insight’ series – the first of a multi-part interview with our experts about the key DORA pillars. Part 2 will go into more detail on the incident management pillar with Cliff Martin, head of cyber incident response at our sister company GRCI Law.
Please do leave a comment below to let us know what you think of this series, and if you have any questions you’d like our experts to answer.
In the meantime, if you missed it, check out last week’s Expert Insights blog, where our data protection and cyber trainer Andrew Snow gave us his expert insights into the new UK–US ‘data bridge’.
