Source: Finance Derivative

Nick Hogg, Director of Security Training, Fortra

The regulatory landscape is tightening for European banking, financial, and insurance institutions. Besides adhering to various local and global legislations, these organisations must prove compliance with the Digital Operational Resilience Act (DORA) by 17 January 2025. DORA “sets uniform requirements for the security of network and information systems of companies and organisations operating in the financial sector as well as critical third parties which provide ICT (Information Communication Technologies)-related services to them, such as cloud platforms or data analytics services.”

This deadline will occur almost a year after the due date for PCI DSS 4.0 compliance and serves as a reminder that as the threat landscape evolves, so does the legislative one. Both DORA and PCI DSS 4.0 present excellent opportunities for financial organisations to re-evaluate their procedures for all compliance legislation and security requirements.

What can financial institutions do to ensure they are compliant?

Scoping and identifying overlap

The first step is identifying the risks faced and establishing the appetite for risk. Once these have been identified, organisations can then look at their existing policies, processes and defences to understand where existing elements can be reused or adapted to reduce the burden on the business. These steps will assist with prioritising projects and spending to ensure efficient use of resources.

Understand your environment

Having clear and consistent visibility into your infrastructure, whether on-premises or in the cloud, is essential to understanding whether something is at risk or poses a threat. Vulnerability scans, penetration testing and red team exercises are tools and techniques that help businesses identify those gaps that can be improved. Increasing the frequency of these scans and using automation to run them on a repeatable basis will help to lessen the impact on the teams involved. This increased visibility can help a company to respond to the small changes and risks swiftly. Financial organisations  must also account for the internal changes that may cause a system to break or halt. Configuration change management and file integrity monitoring can help to reveal exactly what has changed, when, and who has made the change to avoid mistakes from crippling an entire organisation.

Business continuity and resilience

While prevention is an essential strategy, organisations cannot stop 100% of compromises and preparing for when something slips through the cracks of security controls is key. All the regulatory frameworks recognise that organisations will eventually experience some compromise or downtime, so balancing prevention with response strategies is a mature approach to security and compliance.

Treat internal and supply-chain risks

It’s important to mitigate the threats to infrastructure and software that might damage resilience. A simple inattentive moment can result in an employee clicking on a malicious link or opening an infected attachment. The best way to prevent this is to make security a constant presence, both technically, and logically. Technical data loss prevention tools, as well as security awareness training can augment existing controls.

Another necessary component for mitigating these threats is focusing on the third-party supply chain, which is also a critical ingredient of DORA compliance. Businesses must get visibility into the risks from suppliers and partners, especially those from software or applications. This is best achieved with careful review to make sure that these external parties meet the standards of the hosting organisation.

Discover hidden vulnerabilities

Financial organisations must invest in vulnerability scans and pen testing to ensure ongoing compliance and solid risk management. Both are valuable tools because they give a complete understanding of the posture and the gaps. They provide valuable insights and information that security teams can leverage to strengthen compliance security and get buy-in from the executives to allocate budget and resources to implement projects. The data from these scans and tests can also become instruments to help re-prioritise tasks and projects because they provide a more representative glimpse of what could happen if an attacker exploits these risks. Pen tests and vulnerability scans can determine the real-world impacts that may not be realised in a risk assessment.

Partner with a managed service provider

Another important consideration is evaluating whether a financial organisation has the capacity to become compliant or needs to hire additional resources. Buying the tools required for security and compliance is just one step. Organisations also need to consider the ongoing administration and management that will result from these additional resources. Hiring security professionals to build a security team is hard, and organisations must provide training to retain them. This is the best time for financial companies to consider managed security services, like detection and response, or data loss prevention. A managed service provider greatly extends the existing security team and is a cost-effective approach to security and compliance.

Train your employees

Financial organisations must also focus on training their employees about security awareness. A good strategy is to focus on one topic a month and avoid overloading people with acronyms and technical jargon. The content must be relative to the employees’ day-to-day operations and provide the context required to understand why a lack of security can cause a massive problem for an organisation.

Build additional layers of defence

Training is enormously effective; however, businesses need additional layers of defence to fortify themselves against evolving threats. These technology layers can help detect phishing emails, ransomware, and malware, and prevent an attack from crippling the infrastructure, or the ability to do business.

DORA compliance is a strategic advantage

Being DORA compliant is a strategic advantage in a highly competitive world. The date for compliance with DORA will come round quickly, and companies should begin their journey today. As there is much overlap with other regulations, these institutions can orchestrate their daily activities and projects to maintain compliance and security. Taking this approach indicates that your organisation respects your customers’ needs and provides them with the safest environments possible.