DORA will apply to a wide range of financial entities, from banks to insurers and investment firms, but also their critical technology suppliers, bringing IT firms within the remit of financial regulators for the first time. Many of those in scope may not be ready.
The imperative for DORA is clear. The extent to which financial services businesses rely on technology, particularly as digital transformation, leaves them vulnerable to failure in the event of a serious cyber attack, potentially leading to systemic problems. The European Commission’s data suggests attacks on financial institutions rose 38% during the Covid-19 pandemic.
Still, securing digital resilience is not straightforward. And while the DORA regulation, agreed upon provisionally by the Council of the EU and the European Parliament in May, will need to be implemented individually by the EU’s member states, time is starting to run out to prepare for compliance. The new regime is likely to be up and running by 2024, with significant penalties for compliance failures, including the potential for a fine of up to 1% of the business’s turnover. Reputational damage and erosion of customer trust could be even more expensive.
Where should the focus be as compliance work accelerates? There are three areas in particular that many businesses will find especially challenging:
Risk managementThe risk management regime in DORA will require firms to have robust and resilient processes for managing their IT assets. But many organisations currently lack a clear view of what those assets include. Visibility of the endpoints in their systems has diminished over time as their networks have expanded and become more complex – and as staff have moved to remote working. Real-time visibility is especially lacking. |
Network SecurityThis includes penetration testing and vulnerability assessment. Under DORA, firms will have to set out how to monitor and manage their IT assets' vulnerability on an ongoing basis. And while many firms are already doing this work on their most critical assets, this typically falls short of the comprehensive and systematic assessment that the new regulation requires. Remedying the shortfall may not be straightforward. |
Threat intelligence sharing.DORA requires firms to share more intelligence about cyber threats and other dangers than ever before. Very few organisations are currently set up to share such intelligence at the level of detail required, including technical data and high-level information. |
Closing these gaps may require significant remedial work and a move to cyber solutions that provide the functionality required for DORA compliance. And financial services firms must be confident their third-party suppliers are making the same effort.
For chief information security officers (CISOs), the stakes are high. Board awareness of DORA is beginning to increase, prompting senior leaders to ask demanding questions about their cyber security functions. External scrutiny is mounting up, too, as regulators prepare for full-scale implementation. The countdown to compliance has begun.
The role reports to the President and provides executive, administrative, and development support. The Director of the Office of the President serves as the primary point of contact for internal and external stakeholders on all matters pertaining to the President, serves as a liaison to the Governing Body and senior leadership team when required, and oversees internal and external communications for...
The purpose of this role is to lead the strategy, operational planning and management of the Institutional Research & Data Analytics operations, activities, and staff. The Director will guide the overall vision of the function by implementing effective strategies for data management and data analytics to support the centralised collection, management, analysis, interpretation, and reporting of data....
The purpose of this role is to lead the strategy, operational planning and managing of the Human Resources operations, activities, programmes and staff, including the EDI and Transformation and Change functions.
Tailored solutions for assurance and value creation in a changing world
Build technological resilience so you can operate with confidence
Most reportable data breaches are a result of human error. By focusing on understanding online human behaviour and an organisations culture, Mazars can help you to design engaging and practical cyber policies, deliver education and implement effective work practices that reduce cyber risk.
This playbook guidance provides organisations with five high-level practical tips in preparing for a cyber incident and developing a response plan that enables staff to take immediate action.
This website uses cookies.
Some of these cookies are necessary, while others help us analyse our traffic, serve advertising and deliver customised experiences for you.
For more information on the cookies we use, please refer to our Privacy Policy.
This website cannot function properly without these cookies.
Analytical cookies help us enhance our website by collecting information on its usage.
We use marketing cookies to increase the relevancy of our advertising campaigns.