DORA, a major opportunity to ensure digital operational resilience in the financial sector
The importance and weight of such strategic sectors in the global economy as the financial sector is unquestionable. The paralysis of their activities for any reason could have serious consequences, not only for themselves, but also for many other organisations, both public and private, that depend directly or indirectly on them. These consequences, in addition to affecting small investors, could paralyse or frustrate huge international business operations with a major global impact.
These were among the reasons for the adoption in December 2022 of the Digital Operational Resilience Act, the DORA Regulation, which aims to ensure digital operational resilience. In other words, to try to achieve stability and resilience in the face of increasingly frequent security incidents throughout the financial sector. Full implementation of the Regulation will be enforceable on 17 January 2025, when DORA will become mandatory.
Dora can be applied to large entities operating globally, as well as to small and medium-sized enterprises
Six months before its full implementation, the conference 'Countdown to the DORA Regulation: how to help institutions to be prepared' brought together a group of experts at Izertis to analyse the implementation roadmap and the keys to ensure its efficiency. The event was opened by Joaquín Castellón, Director of Cybersecurity and Defence at Izertis,who reminded the audience that DORA "can be applied to large entities that operate globally, as well as to small and medium-sized companies in the financial sector" and that, therefore, there are "many different perceptions of how to face this challenge".
From the Spanish Cybersecurity Institute (Incibe), the head of the strategic financial and ICT sector, Juan Peláez, pointed out that European regulation "helps financial institutions to be able to manage all the threats or risks they encounter in cyberspace". And they do so, he added, through various instruments such as risk management, incident reporting, including less serious incidents, mandatory cyber-resilience testing, cyber threat sharing agreements and supply chain monitoring.
To put this in context, Peláez offered the figures from Incibe's Cybersecurity Balance 2023, which shows a 24% increase in cybersecurity incidents to 83,517, with the financial and tax system being one of the most attacked (25.42%), followed by the transport and energy sectors. More than 22,000 companies were affected by these incidents. Among the most frequent, the report notes that 3 out of 10 incidents are online fraud and that in the case of phishing, for example, the number detected in 2023 was 14,261. Another figure, 4,180,840 vulnerable devices were registered in Spain.
An April 2024 study by the International Monetary Fund warned that the financial sector is "highly exposed" to cybersecurity risks, with one in five incidents affecting financial institutions.
Bank of Spain
Javier Piqueres, IT expert for the Bank of Spain and member of DORA's Spanish regulatory group, gave the keynote address: "DORA is a great opportunity for the sector, not a compliance exercise because it entails making the financial sector as a whole more resilient". In his overview of the regulation's outline, the expert delved into ICT-related risk management (governance), incident reporting and classification, digital operational resilience testing (basic and advanced), third party technology risk management and information sharing agreements.
The Regulation will therefore require a risk analysis that will be the central basis of the security and resilience strategy, accompanied by a set of documented procedures to be implemented and complied with throughout the organisation.
Javier Piqueres also assured that DORA "has been implemented for a long time" and reviewed the development schedule. In closing, he also spoke of challenges and opportunities. Thus, in the area of development, he pointed to proportionality with regard to sector specificities, incident reporting deadlines, identification and monitoring of subcontractors, and criteria for intelligence providers and internal/external testers.
Regarding implementation, he stressed the national option on dual reporting of incidents to the NCA and the CSIRT, the limited timeframe for developing incident reporting procedures, the uncertainties regarding the final format of third party records and collection mechanisms, the binding nature of the entities and the governance structures themselves.
More keys
The event was closed by Laura Burillo, Head of Cybersecurity Regulations at Izertis, and María Vidal, Data Protection and New Technologies partner at FinReg360. They were in charge of giving the keys to DORA and insisting that the European regulation seeks to strengthen the cybersecurity and resilience of the financial sector. It seeks, they said, for organisations to implement an Information Security Management System (ISMS), as it is inspired by different information security standards such as ISO 27001 and ISO 22301, among others. In other words, the main objective is to incorporate security into business processes and operations.
Credit institutions, insurance companies, payment institutions, electronic money institutions, asset managers, pension funds, credit rating agencies... in other words, the vast majority of organisations in the financial sector, as well as their suppliers, must comply with the regulation.
DORA will provide organisations with important advantages, such as increased competitiveness in the market due to the added value of introducing security in operations, greater brand prestige, reduced probability of occurrence of security incidents, reduced recovery times in case of disaster, or the incorporation of cybersecurity culture in the company.
In this way, and given that the regulation establishes different requirements, from the elaboration of the procedures to the technical audit tests, Izertis guarantees its effective compliance with the global adaptation service DORA Outsourcing. It is not only about preparing institutions for compliance by improving security, but also about avoiding significant penalties.