Simon Crocker, Systems Engineering Director at Palo Alto Networks
The financial services industry is at a juncture. On the one hand, it is in the forefront of implementing new technologies, such as open banking and cryptocurrencies. On the other hand, the rapid adoption of these new technologies has significantly increased the risk of cyber attacks. The huge volume of data and transactions processed by these entities makes financial institutions an appealing target for threat actors, who are constantly developing new tactics to gain unauthorised access into financial institutions and further disrupt the industry.
Financial services organisations are frequently targeted by attackers who exploit API flaws, launch distributed denial of service (DDoS) assaults, engage in phishing, social engineering, and malware. Recent research by Unit 42, Palo Alto Networks’ threat intelligence arm, showed that financial services firms are the most vulnerable to business email compromise (BEC) attacks, accounting for approximately one-fifth of all BEC incidents, with each data breach costing organisations on average £3.48 million a year. Today, the issue has become so widespread that even supranational organisations are attempting to mitigate the impact of ransomware attacks on financial institutions.
The EU, as the world’s largest regulatory bloc, implemented the Digital Operational Resilience Act (DORA), which will go into effect in 2025. Since its release, DORA has prompted enterprises in the industry to consider how the new legislation would affect British financial institutions and if they are prepared.
Getting ready for DORA
The primary goal of DORA is to ensure that governance, rules, and frameworks related to digital resilience are incorporated into a comprehensive strategy that applies to financial organisations.
This necessitates a change in roles, meaning that the Executive Committee and CEOs will now primarily be in charge of defining this approach and holding each other accountable.
Digital resilience should be a top priority for financial organisations, given the concerted approach required towards developing this, as well as the close collaboration needed between departments. This is a critical step towards ensuring financial institutions are compliant with the new regulatory framework.
As a result of DORA, financial institutions will be increasingly under scrutiny from regulators, and banks and technology companies that provide services that will be required to demonstrate that their procedures and services are resilient. But why do financial institutions need to demonstrate their resilience in procedures and services?
They will have to demonstrate their procedural resilience due to the legislation’s broader need for stronger defences against widespread fraud and cybercrime. For example, cyberattacks increased by 38% in 2022, and in the first quarter of 2023 alone, the United Kingdom lost more than £53 million as a result of online banking fraud occurrences.
In a world where financial crime is on the rise, DORA will require financial companies to strengthen their defences and resilience against possible threats.
The Act’s financial impact: What businesses need to know
Becoming digitally resilient may be challenging for certain players. While DORA would result in a more robust market, businesses are understandably apprehensive about the financial repercussions of the legislation.
Some organisations have voiced concerns about the potential impact of DORA on innovation and competitiveness within the financial services sector, as well as compliance costs and operational disruptions during implementation and alignment with existing cybersecurity frameworks. In addition, organisations will also need to consider how to tackle challenges related to data protection and privacy, as well as the need for skilled cybersecurity personnel.
The maturity and complexity of governance in any financial services company is likely to impact how they comply with DORA. For instance, companies with lower maturity profiles and less of a competitive edge in the market may need to invest more resources to meet DORA’s requirements. This is because, unlike their more mature counterparts, their core competencies are still being developed, as are their relationships with suppliers and partners (where often much of the cybersecurity risk lies), and they are often lacking the necessary cybersecurity skills internally.At every maturity level, it is vital for senior management to conduct thorough evaluations of the current state of cyber resilience in the business and identify any existing gaps and allocate the appropriate resources for compliance.
Why immediate action is crucial for the sector
While DORA outlines regulatory measures for EU companies, many of them have their headquarters or operations in the UK. According to Mayer Brown, failing to meet DORA’s requirements could mean that British financial institutions with operations within the EU sacrifice a portion of their customer base. EU-headquartered institutions with operations in the UK will want to ensure they implement the regulatory requirements across their entire operations to avoid potential fines.
Enhancing operational resilience in the financial sector is crucial for safeguarding the interests of consumers and maintaining the stability of financial markets. DORA’s provisions aim to minimise the impact of disruptions on consumers’ access to financial services and prevent systemic risks that could arise from operational failures within individual institutions.
The upcoming implementation of DORA is a turning point for the financial services industry, pushing companies to emphasise digital resilience and executive responsibility. While compliance may require a large expenditure, early adoption is critical to reducing long-term expenses.
Global enterprises must anticipate DORA’s ramifications beyond EU boundaries to ensure ongoing compliance and operational resilience. Ultimately, DORA provides a chance to strengthen defences, protect consumer interests, and maintain financial market stability in an increasingly digital environment.
