By Alexandre Vandeput, ICT Risk Lead, Capco

The abundance of virtual data, so integral to the financial services industry, presents some clear dangers to the safety of our money and personal information. At a time when digital vulnerabilities could lead to serious and potentially widespread disruptions to banks’ own systems, regulatory bodies are increasingly focusing on mitigating digital risk in financial services.

Regulators face a tricky balancing act of ensuring new legislation protects consumers and businesses alike, yet prevents financial innovation from being stifled. The European Union’s answer to this conundrum is Digital Operational Resilience Act (DORA), which will introduce a common set of standards to mitigate digital risks across the financial sector, and ensure the necessary measures are in place to protect against cyberattacks and other sources of disruption.

Exploring DORA

DORA seeks to promote important goals such as data sharing and open finance while maintaining the EU’s very high standards on privacy and data protection. The legislation is expected to pass into national law across the Continent before the end of 2022. While there will be a 24-month grace period to allow firms to comply with the new regulations, there are clear ‘first mover’ advantages for those financial services firms who use DORA as an opportunity to decisively embrace the digital revolution.

Firms that act quickly to ensure they are DORA-compliant will benefit from the enhanced data security the regulation mandates. As it stands, just half of the largest insurance companies in Europe are prepared for the level of testing that is required by DORA. Businesses that have not yet began to scale up their Threat-Led Penetration Testing (TLPT) capacity in line with DORA will struggle to be compliant in time. This will necessitate a diversion of time and resources to scale up testing capabilities. Companies that instead opt to rely on third party consultants to ensure they meet DORA regulations will likely find that they struggle to meet the high standards at regular three-yearly testing periods that is required by the Act.

DORA requires firms to address cybersecurity-related vulnerabilities alongside disparities concerning operational resilience requirements, reporting and testing shortcomings, and the current lack of joined-up oversight of third-party providers. Similar to forthcoming FCA regulations in the UK, DORA is also concerned with the current concentration risks attached to a majority of financial institutions and service provers using a small pool of mostly US-based Cloud Service Providers (CSPs). If one provider fails, a company or industry sector could see its infrastructure critically affected. DORA requires companies to ensure they are not disproportionately vulnerable to failures of CSPs and other Critical Third Party Providers (CTTPs).

There is an increasing number of interconnected digital service providers supporting financial services. Currently, these providers do not have to comply with the same strict rules as financial institutions, which increases the risk of digital problems. So-called critical third-party providers who deliver key services and support and who were not previously required to comply with existing regulations, will now have to shift up a gear under the principle of “same activity, same risk, same rules”. CTPPs, who have come under fire from EU and UK regulators this year due to concerns around concentration risk, do not have the same high-level risk management systems in place as financial services institutions; leaving them with a significant challenge ahead to become compliant.

Don’t delay – address vulnerabilities now

The ultimate objective of DORA is to help cement Europe’s position as a global leader in digital financial services. The modernisation of risk mangement frameworks and sharing of data amongst financial services firms in EU member states augments the industry’s ability to mitigate risks of malware and ransomware. The standardisation of reporting standards is a boon to multinational firms that have previously had to operate across disparate reporting standards in different countries of operation.

While further clarity is needed on some of the more technical aspects of DORA, certain key first steps can certainly be taken today. As a first step, financial institutions should focus on identifying and addressing their digital risks. One approach is to use systems that can detect non-standard or unexpected activity, enabling them to identify areas they can maximise the resilience of their digital structures.

Firms can do this in multiple ways. One is to ensure that a robust Information Security Management System (ISMS) is in place. This presents the opportunity for firms to secure their most critical assets: for example, by augmenting their supply chain risk management processes, or by improving their digital resilience testing capabilities by carrying out periodic ‘intelligence-led’ penetration testing (whereby critical systems are subjected to techniques deployed by sophisticated cyber criminals).

Such assessments of potential weaknesses within a firm’s own business – and that of its third-party digital service providers – will allow risks to be identified and the effects of cyberattacks mitigated. Firms should also focus on defining the range of assessments, test scenarios, methodologies, practices, tools and external parties needed to support the digital operational resilience testing program. Senior management engagement and active participation is also critical – among the biggest mistakes a firm and its leadership can make is to treat this is as merely a tick-box exercise.

While DORA will undoubtedly be seen by some as yet more red-tape hampering the success of a hugely profitable industry, those financial institutions who recognise the value inherent to improving operational resilience standards can use it as a catalyst to build more robust digital services and embrace the regulation, rather than fear it.