Leveraging IBM’s Solutions for DORA Compliance
The financial services industry increasingly relies on digital technologies to drive innovation and improve operational efficiency. However, this growing reliance on digital services exposes financial institutions to new risks and vulnerabilities, making cyber security and operational resilience crucial for their business strategies.
The European Commission has introduced the Digital Operational Resilience Act (DORA) to address these challenges. DORA aims to establish uniform requirements across the European Union (EU) to improve cyber security and operational resilience in the financial sector.
This article will explore the key components of DORA and how IBM’s solutions can help organisations achieve DORA compliance and enhance their cyber security and resilience capabilities.
Discover how IBM's innovative solutions can empower financial institutions to achieve DORA compliance and fortify cyber security and operational resilience. Click To TweetIntroduction to Digital Operational Resilience Act (DORA)
The Digital Operational Resilience Act (DORA) is part of the European Commission’s Digital Finance Package, which seeks to enhance the digital transformation of the financial services industry while addressing the associated risks. DORA is set to come into force on 17th January 2025 and aims to establish harmonised regulations across EU member states. Its overarching objective is to improve the cyber security and operational resilience of all regulated European financial entities and their crucial third-party service providers in ICT-related services.
The need for DORA compliance
The need for DORA is evident as digital innovation in the financial sector has surged recently, fuelled by the rise of fintech companies. However, this increased digitisation has also made financial entities vulnerable to disruptions and cyberattacks.
The Dutch National Bank reported that over 15% of Dutch pension funds and insurers experienced significant financial damage in 2021 due to security incidents and data breaches. Additionally, over 5% of institutions fell victim to successful cyberattacks during that period. To mitigate these risks, DORA aims to strengthen the financial sector’s resilience by introducing specific and prescriptive requirements applicable to all EU financial institutions.
Board accountability for IT Risk
DORA mandates that the board of financial institutions is accountable for IT risk management. CEOs and board members must prioritise cyber security and operational resilience and ensure that appropriate governance structures are in place. This includes establishing clear lines of responsibility, allocating resources for cyber security initiatives, and actively participating in the decision-making process related to risk management.
It also includes educating Board members about the threats and challenges facing organisations.
Failure to comply with DORA regulations can subject these board members to substantial fines or even prison time if they cannot comply. Ignorance is not a valid defence. DORA mandates that board members are well-informed about the threats confronting their organisation.
Key Pillars of DORA
DORA is structured around five key pillars that collectively contribute to the overall cyber security and operational resilience of financial entities. These pillars encompass various aspects of risk management, incident reporting, third-party risk management, and operational resilience testing. IBM’s suite of solutions is tailored to streamline the compliance process.
- Information Communication Technologies (ICT) Risk Management & Governance
Under DORA, financial entities are required to implement effective risk management measures and establish ICT governance and control frameworks. They need to quantify and prioritise top risks, document these risks within a comprehensive ICT risk management framework, and periodically review and audit the framework’s effectiveness.
Financial entities can turn to IBM Consulting for assistance in quantifying risks, establishing robust governance models, and implementing automation technologies for monitoring and control.
IBM’s software solutions enable financial entities to automate data discovery and governance, ensuring compliance and reporting regardless of where the data resides. Financial institutions can enhance their risk management capabilities through these solutions and strengthen their overall cyber security posture.
- Incident Reporting & Sharing
Financial entities must establish processes and procedures for detecting, classifying, managing, and responding to security incidents. DORA emphasises the importance of stakeholder communication and response plans in mitigating the impact of cyber breaches.
IBM offers a range of solutions to aid financial institutions in incident management. IBM Security Consulting’s X-Force provides services for detecting and recovering from security incidents, including managed detection and response. IBM Technology offers solutions such as Endpoint Detection and Response (EDR) and Extended Detection and Response (XDR) to help organisations respond to cyber threats effectively. IBM Control Desk and Maximo application suite enable organisations to manage and report critical incidents appropriately. By leveraging these solutions, financial entities can enhance their incident response capabilities and minimise the impact of security incidents.
- Management of ICT Third-Party Risk
DORA requires financial entities to incorporate ICT third-party risks into their overall risk management frameworks. Entities are expected to monitor third-party contractual arrangements and enable oversight of ICT third-party service providers by European Supervisory Authorities (ESAs).
IBM Consulting provides supply chain, third-party risk management services, and security awareness training. IBM Managed Security Services offers tailored services to assess, monitor, and document ICT third-party risks.
IBM’s technology solutions, such as IBM Data – OpenPages, help financial institutions identify, manage, and monitor regulatory compliance related to third-party risks.
The IBM Cloud Framework for Financial Services, integrated into IBM Cloud for Financial Services, offers unique capabilities for managing third- and fourth-party risks. By leveraging IBM’s risk management and security expertise, financial institutions can effectively address ICT third-party risks and strengthen their resilience.
- Operational Resilience Testing
DORA mandates that financial entities establish, maintain, and review a digital operational resilience program. This program should include testing the efficiency of the risk management framework and measures in responding to and recovering from various ICT incident scenarios.
IBM Consulting’s X-Force Red services offer penetration testing and vulnerability testing to identify and remediate security flaws, including those related to third parties.
IBM Security QRadar SOAR automates incident response, enabling security teams to respond to cyber threats confidently.
IBM’s infrastructure solutions, including IBM Power, zSystems and IBM Storage, provide flexible on-premise and cloud-based options for conducting resiliency testing and ensuring the availability of critical workloads during incidents. By leveraging these solutions, financial entities can enhance their operational resilience and minimise the impact of disruptions.
- IBM Infrastructure Solutions
IBM’s infrastructure solutions play a crucial role in supporting financial institutions’ cyber security and operational resilience efforts. IBM Power, zSystems, and IBM Storage provide robust and secure infrastructure options, enabling financial institutions to host critical workloads and ensure the availability of services.
IBM Cloud for Financial Services offers a secure and compliant cloud environment tailored to the needs of the financial sector. This platform provides advanced security features like encryption and access controls to protect sensitive data and ensure regulatory compliance. In addition, features such as CyberVault on IBM Storage provide immutable copies of critical data on the primary storage array to provide instant restore capability in the case of data corruption. By leveraging IBM’s infrastructure solutions, financial institutions can establish a strong foundation for cyber security and operational resilience initiatives.
Does DORA compliance apply outside of the EU?
DORA is a regulation specific to the European Union (EU). However, even if your organisation is based outside of the EU, it may still be affected if you have offices within the EU or provide services to a financial institution that operates within the EU.
For instance, if your organisation is located in the United States and provides services to a U.S.-based bank that also operates in the EU, you could be impacted in some way.
While DORA is not yet established as law in the UK, it is likely to apply in the near future, as authorities have hinted at its adoption into UK law.
Regardless of your organisation’s location, whether within the EU, UK, or elsewhere, it is essential for all businesses to assess whether they fall under the scope of DORA and to determine the necessary actions for compliance. For those directly affected, complying with this new regulation will require a substantial amount of effort.
Conclusion
The Digital Operational Resilience Act (DORA) is a significant step towards enhancing cyber security and operational resilience in the European financial services industry. Financial entities must comply with DORA’s regulations to strengthen risk management, incident response, third-party risk management, and operational resilience capabilities.
To prepare for the implementation of DORA, it is important to conduct a thorough cyber security assessment and to implement new technologies and tools that can help to mitigate the risk of cyber attacks.
Northdoor’s DORA Assessment workshop will help you gain visibility into threats and how they will impact your organisations in the coming years.
IBM offers a comprehensive suite of solutions and services to assist financial institutions in meeting DORA’s requirements and improving their cyber security posture. By partnering with Northdoor and leveraging IBM’s expertise and innovative technologies, financial entities can navigate the complexities of DORA, establish robust cyber security measures, and ensure the resilience of their operations in an increasingly digitalised and interconnected world.
Contact Northdoor to sign up for our exclusive DORA Assessment Workshop. Our experts are ready to guide you through the regulatory landscape and help you build a secure and resilient future.