What is Dora?
Well DORA is not your favourite aunt that’s for sure but DORA is going to become pretty important to those of us in cyber security risk and compliance!
The Digital Operational Resilience Act is going to be enforceable by 2025. DORA is becoming rather pivotal in terms of regulatory compliance and is certainly influencing financial markets and is setting the pace in terms of how organisations must focus on enhancing their operational frameworks to maintain not only their cyber security but, ultimately, their competitiveness.
Isn’t DORA an EU thing?
Well, yes it is. But it doesn’t mean it’s not going to impact us here in the UK.
This comprehensive framework was introduced by the European Commission to bolster digital operational resilience in all EU financial entities, aiming to upgrade risk management and unify ICT across the whole financial sector, as well as ensuring that there was oversight of all 3rd party providers.
Whilst here in the UK we are not obliged to align with DORA, it is important to remember that if we conduct business in the EU then we will need to align and comply. However, more importantly there is an increasing need – in fact an urgent need – to develop a universal strategy of cyber resilience. So DORA will become a high priority for the UK financial markets.
What organisations is DORA aimed at?
A UK Finance News publication quotes that DORA envisions a “trusted community of financial entities”. DORA is aimed at financial institutions and service providers.
So should organisations really focus on DORA? Do they have to?
Essentially, if you never conduct business outside of the UK then no. But as DORA is going to become a badge of excellence in cyber security and operational excellence it would be naïve to ignore this regulation, particularly with so much emphasis on the increasing and evolving threat landscape.
What are the top 10 challenges businesses will face implementing DORA?
With any regulatory compliance, particularly when your organisation has to focus on so many, there are going to be challenges. DORA is no exception. It is forcing businesses to address their operational resilience and considerable time and resource is going to be needed to ensure compliance. However, our top potential challenges would look like this:
Regulatory Complexity: It’s often challenging for businesses to understand long-standing regulations, let alone new ones. There will be complexity with DORA in terms of interpreting the legal and technical aspects.
Technical Adaption: Your organisation may need to make technology investments in order to become compliant with DORA – with updates in cyber security tech and reviewing the whole IT infrastructure.
Data Privacy & Security: This is going to be a key aspect of DORA. Organisations will need to demonstrate they have robust cyber security measures in place to ensure they have the protection and security they need for the data within their systems.
Operational Resilience: There is an exceedingly strong emphasis on operational resilience – organisations will need to demonstrate continuity and disaster recovery plans and any contingencies for any kind of disruptions.
Third-party risk: So many financial institutions have to rely on third parties for delivery of many services. Businesses will need to be able to demonstrate that they assess and manage operational resilience of these third-party providers – this could be exceedingly challenging due to the diverse nature of other organisations.
Alignment for other regulations: Aligning DORA with other international or regional regulations is going to be exceedingly challenging. Consistency in compliance is going to become complex.
Legal, reputational and cultural shifts: Businesses will need to take steps to mitigate any risks associated with reputational or legal risks as non-compliance to DORA can lead to severe penalties. However, in order to achieve compliance, many organisations are going to need to take drastic cultural shifts to place the focus on the entire business onto operational resilience.
Reporting: There is going to be a need to collate and report on DORA compliance. Many organisations may not have the resource or the technology tooling in place to achieve this – thus placing a further manual burden on staff to gather the relevant information.
Resources and Costs: This leads us on to the cost to implement all these changes and the resources required; by allocating resource to compliance with DORA and any associated budget is going to cost some businesses!
Continuous Monitoring: For too long, proving compliance has been too ‘point-in-time’ but DORA calls for continuous monitoring of a business environment to ensure that an organisation can evolve, evaluate and adapt to threats and vulnerabilities. If organisations do not have the tech in place to continuously monitor, then they will need to implement this in order to become compliant.
Let’s drill down into how Continuous Controls Monitoring will help DORA compliance?
There are 5 key pillars of DORA that financial organisations will need to comply with – however, continuous controls monitoring will support a business’s efforts with this:
Risk Management: Financial businesses may need to review their risk management framework. Continuous Controls Monitoring can continuously quantify and assess risks in your organisation. Our platform can connect to your entire tech infrastructure and monitor infrastructure vulnerabilities and data security. This is a key aspect of DORA so CCM can help organisations maintain clarity continuously of their risk exposure
Incident Reporting: DORA stipulates that organisations must be able to respond and report on any major ICT incidents. Broader than GDPR which only relates to data breaches, DORA will cover ANY ICT incidents. Continuous Controls monitoring does what it says on the tin – it monitors continuously all critical digital assets so it enables organisations to detect and respond in lightning speed. Not only that, but the platform will provide detailed and comprehensive information on the what, where and when of an incident for precise and easier reporting.
Resilience Testing: DORA encourages organisations to conduct regular resilience testing to ensure they can withstand operational disruptions. CCM can automate and streamline the testing process, allowing for frequent and comprehensive testing of critical systems and processes.
ICT Third-Party Risk Management: Contracts in place with third party technology providers may need to be varied to comply with DORA as it very much stipulates the need to manage third-parties. CCM can monitor the performance and security of third-party vendors and service providers, helping organisations ensure that their digital supply chain is resilient.
Information and Intelligence Sharing: There is also opportunity for financial institutions to consider engaging in greater threat intelligence sharing with other financial institutions as DORA is actively addressing this. CCM solutions generate detailed, customised reports and documentation of monitoring activities which can serve as evidence of compliance with DORA’s reporting and documentation requirements, as well as supporting the information sharing aspect too.
Other benefits of continuous controls monitoring with DORA:
Adaptive, resilient security: As DORA is focused on operational resilience, the CCM platform lends itself to strengthening operational resilience for any organisation. The platform can be integrated and connected to any security technology which allows organisations to be more dynamic and proactive in their cyber security measures and adjust in the event of a threat – a key aspect of DORA.
Customised dashboards: Our CCM platform in particular creates the dashboard you need to see, from operational to Board level, and aligned to any framework such as DORA. This means you can monitor your compliance and view your operational resilience status in real time, easily, enabling your organisation to make quick, informed decisions about any course of action that needs to be taken.
CCM is great for Audits: The beauty of this platform is it is totally ideal for when you are audited. There is an automatic audit trail of all monitoring and incident response activities, providing a transparent record of an organisation’s efforts to maintain operational resilience, which can be valuable during regulatory audits.
Having to comply with DORA? Find out more about our continuous controls monitoring platform here.