Understanding DORA: A Guide for Financial Businesses
The Digital Operational Resilience Act (DORA) is a transformative piece of legislation set to reshape the IT security landscape for financial entities across Europe. As financial institutions increasingly rely on digital infrastructure, the need for robust cybersecurity measures has never been more critical. DORA aims to ensure that financial entities remain resilient in the face of severe operational disruptions, safeguarding both the institutions and their clients.
What is DORA?
DORA focuses on the IT and cyber security of 20 different types of financial institutions, including banks, insurance companies, and investment firms. Its overarching goal is to enhance the operational resilience of these entities by addressing various aspects of cybersecurity and risk management.
Core Chapters of DORA
DORA is structured around five core chapters, each addressing a specific area of operational resilience:
- ICT Risk Framework:
This chapter emphasises the need for financial based businesses to set up and maintain resilient ICT systems. The aim is to continuously identify and minimise ICT risks, ensuring that systems are robust and secure.
Practical implications:
Organisations are expected to already have an ICT Risk Framework in place, one that is aligned with industry best practice such as ISO/IEC 27005 and ISO 31000. Demonstrating that risk assessments are performed on a regular basis and that those risk assessments include key aspects such as understanding the Business Impact, threats and vulnerabilities and use of risk registers, as part of a wider approach to risk management, will put that organisation on the right path towards complying with the ICT Risk Framework Chapter.
- ICT Incident Management, Classification, and Reporting:
Financial organisations are required to establish and implement a management process to monitor, classify, and report major ICT-related incidents to competent authorities. Specific timeframes for incident reporting are outlined, ensuring timely communication of critical incidents.
Practical implications:
Classifying ICT related incidents based on a clear set of criteria and then reporting on those incidents are likely to be the key ingredients towards meeting the requirements for the ICT Incident Management, Classification, and Reporting Chapter. Adopting the typical best practice approach for incident management, which includes 1) Identify 2) Assess 3) Respond and 4) Learn from incidents and documenting this process with examples will provide an auditor with confidence that the organisation has taken ICT Incident Management seriously.
- Digital Operational Resilience Testing:
Testing the operational resilience included in the ICT risk management framework is crucial. This chapter mandates financial businesses to conduct regular resilience testing to identify weaknesses, deficiencies, or gaps in their systems.
Practical implications:
Threat-led penetration testing stands as the current requirement within the Digital Operational Resilience Testing chapter. Since penetration testing is commonly used to find vulnerabilities, financial companies and their partners should use the results to showcase their process and that they are following the rules.
- Third-Party Risk Management:
Managing third-party risks is a major focus in DORA. Businesses must assess, monitor, and document ICT third-party risk and ensure that all contracts with such parties state their obligations under the act.
Practical implications:
Identifying third parties and prioritising them based on the criticality of their services is a crucial step for financial entities. Establishing an end-to-end approach, including triage, prioritisation, and control requirements for third parties, is essential to meet the requirements of this DORA Chapter. Documentation within Service Level Agreements and third-party contracts will demonstrate the assessment of third parties and their commitment to implementing security measures.
- Oversight Framework:
Critical ICT third-party service providers in the financial sector are likely to be required to adhere to an oversight framework, ensuring that they meet the necessary security and resilience standards.
Practical implications:
The Oversight Framework Chapter is directly linked to Third Party Risk Management and focuses on gaining assurance that control measures have been implemented by the third party. Self assessments, invoking the right to audit and requesting audit reports including SOC II Type 2 and an ISMS SoA are methods organisations use to gain this level of assurance.
Considerations for Financial Businesses
As financial businesses prepare for DORA’s implementation, several key considerations should be taken into account:
Compliance: Ensure that your organisation understands and complies with the requirements outlined in each chapter of DORA. This may involve updating policies, procedures, and systems to meet the new standards.
Third-Party Risk Management: Given the emphasis on third-party risk management, businesses should enhance their processes for assuring resilience in third party relationships. This may include renegotiating contracts to include DORA compliance clauses and conducting regular risk assessments.
Incident Response: Developing a robust incident response plan is essential. Businesses must be prepared to identify, classify, and report ICT-related incidents within the specified timeframes to comply with DORA’s requirements.
Resilience Testing: Regular resilience testing should be incorporated into the organisation’s cybersecurity strategy. This will help identify and address vulnerabilities proactively, ensuring that systems remain resilient in the face of cyber threats.
Training and Awareness: Employee training and awareness programs can play a crucial role in ensuring DORA compliance. Educating staff about the importance of cybersecurity and their roles and responsibilities under DORA can help mitigate risks.
How we can help:
CRMG is well pleased to support you in your DORA compliance journey. We follow an iterative, business-focused process that ensures you achieve the level of cyber resilience required by DORA without over-working your operational processes.
DORA represents a significant step forward in enhancing the operational resilience of financial institutions. By focusing on key areas such as ICT risk management, incident reporting, third-party risk management, resilience testing, and oversight, DORA aims to create a more secure and resilient financial ecosystem.
Financial businesses need to be proactively preparing for DORA’s implementation by understanding its requirements, assessing their current cybersecurity posture, and taking necessary steps to enhance operational resilience. Our comprehensive solution integrates our data services platform and consultancy to ensure seamless compliance and bolster cybersecurity posture.