Enhancing Operational Resilience through DORA
In an increasingly interconnected world, where digital technologies underpin almost every aspect of our lives, the importance of operational resilience and cyber security cannot be overstated. The rise in cyber threats and attacks has prompted governments and regulatory bodies to take action to protect critical infrastructure, financial institutions, and consumers.
In the European Union (EU), one such initiative is the Digital Operational Resilience Act (DORA). Similar to the parallel-running Operational Resilience Act in the UK developed by the FCA, PRA and Bank of England, DORA aims to enhance the operational resilience of the EU’s financial sector in the face of growing cyber risks.
In this blog post, we’ll delve into the Digital Operational Resilience Act, why it’s important, and how it intends to achieve its goals.
DORA, the Digital Operational Resilience Act, was initially introduced by the European Commission in 2020 to address cyber threats and improve the operational resilience of financial institutions within the EU.
IBM Security’s X-Force Threat Intelligence Index 2023 showed Financial Services institutions as the second-most targeted by cyberattacks after Manufacturing. As these institutions play a crucial role in the stability of the European financial system, their resilience against attack is paramount.
The 5 Key Components of DORA
- Incident Reporting and Response: DORA mandates that financial firms and market infrastructure providers report significant cyber incidents to their respective national authorities. This requirement ensures timely and effective incident response and allows authorities to take necessary action to mitigate potential systemic risks.
- Risk Management: The act places a strong emphasis on risk management by requiring institutions to identify, assess, and manage the risks posed by third-party providers and their supply chains. This provision recognises the interconnected nature of the financial industry and aims to minimise vulnerabilities.
- ICT Supply Chain Security: DORA seeks to bolster the security of information and communication technology (ICT) supply chains. It imposes obligations on financial firms to assess and manage the risks associated with their ICT service providers, reducing the potential for supply chain-related cyber vulnerabilities.
- Testing and Oversight: Regular security testing and risk assessments are vital to maintaining operational resilience. DORA mandates that competent authorities carry out penetration testing and vulnerability assessments to ensure institutions are adequately prepared for cyber threats.
- Cooperation and Information Sharing: Effective cybersecurity often requires collaboration between institutions and authorities. DORA promotes information sharing among relevant stakeholders to enable a coordinated response to cyber incidents and threats.
The Cyber Resilience Challenge
Before we can truly understand the challenge that both the FCA Operational Resilience and DORA pose, we must first distinguish between Cyber Security and Cyber Resilience.Financial institutions need to move from cyber security to cyber resilience. Here's how #DORA can enhance operational resilience. Click To Tweet
Cyber Security has been a mainstay of IT budgets for many years and is concerned with detecting and preventing cyberattacks – these are the high walls organisations make to try and keep themselves safe – think Firewalls, IAM, EDR/XDR and SIEM. These technologies are great and should be part of any organisation’s cyber defences. However, given the increasing proficiency and veracity of cyberattacks, the question for organisations of all sizes is no longer if they will become the target of a cyberattack but when – the cyber security defences need to get it right every time, whereas the attacker needs to succeed only once.
In contrast, Cyber Resilience is concerned with an organisation’s ability to recover and bring critical services back online after being attacked.
Traditionally, IT Security spending has been focused on Cyber Security rather than Resilience. Instead, many organisations have invested in Infrastructure resilience – with replicated systems in HA and DR. Whilst these account for both planned and unplanned outages in systems. They do not account for data corruption, which is replicated between systems.
As a result, most organisations will need to expand their cyber resilience capability when looking to achieve compliance with either DORA or FCA Operational Resilience. As the speed of recovery will be vital to achieving those impact tolerances, traditional data protection solutions such as tape and backup appliances may not be suitable as these are not designed to restore data in bulk quickly.
Where to Start?
As many UK firms in the financial sector will have already been working with the FCA on their Operational Resilience legislation, the good news is that some of this activity can be reused for DORA.
Creating a Data Resilience workstream – like with many other legislative requirements- complying with DORA or the FCA’s Operational Resilience requirements takes time and effort. Creating a project team with executive sponsorship will help you manage your efforts and secure the time required by the Line of Business and Technical teams.
Identification – The key to beginning either the DORA or FCA Operational Resilience compliance process is identifying your important business services – including all of the systems, processes and third parties responsible for delivering those. It’s important to take a holistic approach here – the services that are unimportant for some business users are critical for others, so having a cross-section of personas involved in the identification phase is beneficial.
Discovery – A discovery exercise based on the business services identified above will reveal the value chains that need resilience for your organisation to continue trading and protect consumers.
Set your tolerances – Decide on the maximum outage that could be tolerated for each critical business process.
Perform a GAP Analysis – between the cyber resilience that you currently have in place and the levels needed to achieve your SLA. It’s important to distinguish here on cyber resilience – the ability to recover from data corruption – so replication technologies that traditionally provide high availability may not be suitable.
Validate 3rd parties – For any 3rd parties you rely on for critical services, DORA obliges you to assess and manage any risks they introduce to your service.
Once the process above has been completed, a pathway to compliance will be revealed. As there are likely to be several business services requiring action, using a scoring system to begin with the most critical or the tasks with the most comprehensive benefit will allow you to focus your team’s efforts best.
For instance, some technologies that can be introduced at the IT level – such as immutability solutions – may span multiple business services to provide point-in-time data resilience points.
Building in Cyber Resilience
Considering cyber resilience with every IT and business project going forward will ensure ongoing compliance with legislation such as DORA and FCA’s Operational Resilience requirements.
There are several key areas to address:
Automation & AI
According to the Cost of a Data Breach study by IBM Security, the most significant single factor in reducing the time to identify and the cost to remediate was AI and Automation. This is increasingly true as IT environments become ever more complex for IT and Security teams to manage, and relying on a reactive approach is no longer viable.
Look at introducing procedures to proactively check data sets in both primary and backup data sets for corruption and against known vulnerabilities.
Build a Clean Room
If the worst happens and you are the target of a cyber attack, you will want to bring data back online but not allow it to corrupt other systems. Having a clean room – an environment isolated from your main infrastructure estate – allows data restoration and validation to be carried out without risking further contamination. Allied with automation, data copies can routinely be restored to the clean room, validated and marked as clean to provide the last known ‘good’ copies of data if restoration is necessary.
Create an Incident Response Plan
Develop a detailed incident response plan outlining the steps to take in a cyber incident. Test and update the plan regularly to ensure its effectiveness.
Evaluate 3rd Party Risk.
Proactively monitor critical third parties that you rely on for cyber risk.
Carry out continuous threat-based testing.
As with all testing – it’s only a snapshot at a particular time. Whilst traditionally, many organisations will carry out an annual penetration test for compliance purposes, with the rate of change of IT systems and expansion into hybrid cloud, the test results will be out of date almost as soon as they are completed. Instead, consider carrying out more regular attack surface monitoring, penetration testing and red team testing to see if your cyber security defences are up to scratch.
The DORA and FCA Operational Resilience Acts represent a pivotal moment in the UK and EU’s efforts to strengthen their cyber security framework. In an era marked by increasing cyber threats and vulnerabilities, these legislations should ensure the financial sector’s operational resilience, protect consumers, and maintain the stability of our financial systems.
However, planning for and achieving compliance with these regulations can be daunting. Drawing on three decades of experience, Northdoor combines business know-how with deep technical acumen to help organisations capture, store, govern, manage, protect and analyse their data assets. We would welcome the opportunity to share the cyber resilience challenge with you as an extension to your team – please get in touch to arrange an initial discussion.
Are you concerned about your operational resilience? We can conduct a gap analysis and provide a roadmap to compliance.