While awaiting the entry into force of the European DORA regulation, Jacopo Tupac Santaiti, Cyber Security Lead of Pay, explains the advantages, disadvantages and doubts of financial companies.
The financial world is close to an unprecedented revolution, led by the Digital Operational Resilience Act, better known as DORA. This is a European regulation that establishes a quadro binding and comprehensive framework for managing information and communication technology risks in the EU financial sector. Objective: develop a Risk Management Framework that ensures resilience digital of financial companies.
DORA regulation: adapt internal cyber resilience systems
The Regulation will become binding and operational starting from 17 January 2025. Within less than a year, therefore, banks, insurance companies, fintechs, electronic money institutions, investment companies, spend management platforms such as Soldo and other entities in the varied financial sector will have to adapt their internal cyber resilience systems. It is, therefore, essential to start a planning reasoned to prepare for its adaptation. Before doing so, however, it is essential to understand in detail what makes DORA really “revolutionary”.
For greater understanding
Which is why we have examined the main keywords around which this Regulation revolves. This will serve for unravel some doubts and help understand the implications of the measures it proposes:
A European standard. With the implementation of DORA, we will have a single European regulation that will become binding for all those involved in the financial sector. Thus leading many companies to face similar challenges and adopt common choices. However, concerns arise regarding the possibility of creating synergies and standardizing requirements. Especially in the complex incident reporting process, the coordination of which may require additional time and influence incident management. In this regard, the importance of preparation will represent a fundamental step: anticipating and structuring the manageable aspects in advance will allow you to address only what is necessary at the critical moment. DORA regulation
I pillar. The Regulation proposes six different “pillars”: ICT governance, ICT risk management, incident management, resilience testing, third-party risks and information sharing. Pillar that organizations will have to implementation. Each entity will face unique challenges, considering the diversity of businesses, sizes and experience levels of the actors involved by DORA. Each pillar has its own peculiarities and its relevance in the directive as a whole, but those of ICT Governance and ICT Risk Management are crucial because they provide a solid structure and a reference framework for all other activities. Furthermore, their implementation is challenging as they are based on the need for cultural and organizational change.
Different areas and skills
The adaptation. How to comply with the most imminent obligations, then? There are three main actions to take, first of all a Gap Analysis that involves all the pillars, essential to identify shortcomings, define priorities and have a correct understanding of your organization. DORA, in fact, touches on so many different areas and skills that a Gap Analysis conducted by a single team would be limiting due to the skills needed. Given this, it will be essential to proceed with a review of the incident report and an assessment of critical suppliers, with subsequent renegotiation of contracts with them.
A new paradigm
Resilience. One of the main ones novelty introduced by DORA lies in the assumption that serious accidents are inevitable in the current context. Furthermore, it is essential to develop high levels of resilience to such events in the operating model of critical functions and services from a resilience by design perspective. DORA, therefore, offers a new paradigm by introducing the concept of resilience which necessarily contrasts with the more widespread concept of restoration/recovery of a service. DORA, in fact, move efforts from the management of Business Recovery Plans, which focus mainly on the post-incident and the ability to react to a service interruption – at the previous moment. That is, the ability to resist the accident itself.
Evaluate the effectiveness of defense strategies
The stress tests. Furthermore, for guarantee resilience, all financial operators will be subject to stress tests, already used in highly complex contexts. These tests, conducted periodically, will expose financial operators to scenarios based on the most recent and realistic threats. Asking them to deal with typical intrusion and attack techniques to evaluate the effectiveness of the defense strategies implemented by financial operators. This will therefore lead to more resilient services, an advantage for end consumers, who will feel greater security. And also for companies and third parties, who will be able to have the certainty that their critical services are protected and their business is more secure. DORA regulation: the advantages and disadvantages for the financial sector
The interpretation. According to some, the technical standards issued to complete the DORA framework leave too much room forinterpretation and they postpone the choice of the most practical aspects to the subjective evaluation of the individual body involved. In reality this is probably a strong point of the Regulation. On the other hand, offering objective interpretations would have complicated the situation further. The group of companies involved is so heterogeneous in type and size that defining rules, parameters and measures would have undermined its effectiveness and credibility. After all, the final intent is to provide a language common to all operators in the sector, therefore the only way to do it is to include and not limit. From this point of view, the task of defining thresholds and rules, mostly qualitative, has been left to the RTS (regulatory technical standards).
An important change
Ultimately, even before the entry into force of DORA, fintechs like Soldo had to comply with the highest security standards required by national and supranational regulatory authorities. And, at the same time, guarantee the safety of its products and services. The advent of DORA will represent a further piece in this direction, accompanying younger operators towards the levels of governance maturity typical of more structured realities. They are also given the opportunity to review their own processes in a new perspective. But above all it will offer everyone a common language, or at least an alphabet, on which to structure a more holistic vision of resilience and security.