Banks Brace for DORA’s Stricter Cybersecurity and IT Management in 2025

August 8, 2024
Banks Brace for DORA’s Stricter Cybersecurity and IT Management in 2025

As enforcement of the European Union’s Digital Operational Resilience Act (DORA) looms on the horizon in January 2025, banks and their IT suppliers brace for an era of tougher cybersecurity and IT management standards. Passed last year, DORA mandates rigorous IT risk management protocols, digital operational resilience tests, intelligence sharing on cyber threats, and third-party risk management. This article delves into the multi-faceted repercussions and anticipatory measures being adopted by financial institutions to comply with this new regulatory framework.

DORA’s Mandate for Digital Resilience

Comprehensive IT Risk Management

Banks are required to develop robust IT risk management frameworks that encompass a broad spectrum of potential digital threats. These frameworks aim to ensure that institutions can not only withstand but also swiftly recover from cyber incidents. DORA’s regulations stipulate that banks conduct extensive assessments of their IT infrastructure, identifying vulnerabilities and implementing corrective measures. This proactive approach underscores the necessity of continuous monitoring and updating of security protocols to counter evolving cyber threats.

Financial institutions must also account for operational risks related to outsourcing and third-party services. Detailed risk assessments of third-party vendors have become essential, ensuring that any potential weaknesses in outsourced operations are promptly identified and mitigated. This requirement is crucial as banks increasingly rely on external vendors for essential services, amplifying the importance of third-party risk management. By mapping out these risks comprehensively, banks can formulate strategies to mitigate potential disruptions and secure their operations against a wide array of cyber threats.

Digital Operational Resilience Testing

An integral component of DORA is the requirement for banks to conduct regular digital operational resilience tests. These simulations are designed to evaluate the effectiveness of an institution’s defenses against cyber incidents and operational disruptions. Banks are expected to perform both internal and external stress tests, simulating various scenarios that could potentially impair their IT systems. These tests provide valuable insights into areas needing enhancement and help in fortifying defenses against real-world cyber threats.

DORA also necessitates that financial institutions document and report the results of these tests to relevant regulatory bodies. This transparency ensures that both banks and regulators have a clear understanding of the institution’s preparedness and resilience capabilities. The documented results can inform future regulatory adjustments and provide benchmarks for continuous improvement. By adhering to these requirements, financial institutions can foster a culture of resilience, ensuring they are well-prepared to handle unforeseen disruptions and maintain the continuity of critical services.

Incident Case Study: CrowdStrike Outage

Impact of the CrowdStrike Glitch

The recent high-profile IT outage involving cybersecurity firm CrowdStrike serves as a stark reminder of the vulnerabilities within interconnected digital ecosystems. The software update glitch cascaded across various sectors, including airports, hospitals, and financial institutions. Delta Air Lines was one of the most severely affected, canceling over 5,000 flights and incurring losses estimated at around $500 million. The incident highlights the critical need for robust incident response plans and the potential financial repercussions of IT failures.

CrowdStrike’s deflection of responsibility towards Delta’s IT decisions underscores the importance of clear delineation of accountability in managing IT risks. This incident has prompted renewed calls for stringent governance and oversight of third-party IT providers. It also emphasizes the necessity for thorough vetting and performance monitoring of these vendors to prevent similar disruptions in the future. By learning from such incidents, banks can enhance their contingency planning and ensure that they have robust strategies in place to mitigate the impact of IT outages on their operations.

Lessons Learned from the Outage

The CrowdStrike outage underscores the necessity for enhanced due diligence when selecting and managing third-party IT services. Financial institutions must rigorously vet their vendors’ security protocols and ensure that they align with the bank’s own cybersecurity standards. It is also essential for banks to establish comprehensive incident response and recovery plans. These plans should outline clear procedures for mitigating the impact of IT disruptions, ensuring continuity of critical services, and minimizing financial losses.

Moreover, the incident highlights the significance of maintaining an open channel of communication with IT providers. Transparency and timely information sharing can facilitate quicker identification and resolution of issues, thereby mitigating the overall impact of such incidents. Financial institutions must also prioritize continuous improvement in their incident response strategies, incorporating lessons learned from past disruptions to bolster their resilience. By fostering a collaborative approach with their IT vendors, banks can enhance their overall security posture and reduce the risk of future outages.

Managing Third-Party Risks

Assessing Third-Party Dependencies

An integral part of DORA is the management of risks associated with third-party IT providers. Financial institutions must conduct thorough assessments of their dependencies on these external vendors, identifying critical operations that are outsourced and vulnerabilities therein. Advanced technology solutions are requisite for mapping and managing third-party dependencies. These tools enable banks to monitor the performance and security compliance of their IT service providers continuously.

Financial institutions are also required to maintain comprehensive records of all third-party engagements, detailing the nature of services provided, associated risks, and mitigation strategies. This meticulous documentation is crucial for adhering to regulatory requirements and ensuring accountability. By maintaining detailed records, banks can better manage their vendor relationships and ensure that their outsourcing arrangements are secure and reliable. This approach not only enhances regulatory compliance but also strengthens the overall resilience of the institution’s digital infrastructure.

Enhancing Vendor Assurance Capabilities

To align with DORA’s mandates, banks must expand their assurance capabilities, encompassing not just their own infrastructures but also those of their vendors. Regular audits and assessments of third-party security protocols are necessary to ensure compliance with DORA’s stringent standards. Banks should collaborate with their IT providers to enhance resilience. Joint operational resilience tests and shared intelligence on emerging threats can bolster the defensive capabilities of both parties.

Furthermore, fostering a culture of continuous improvement in cybersecurity practices is vital. As the threat landscape evolves, ongoing training and awareness programs for both internal staff and third-party vendors can help maintain a robust defense against cyber threats. By investing in continuous education and fostering collaboration, banks can ensure that their defenses remain effective and that they are well-prepared to handle new and emerging cyber threats. This proactive stance is essential for maintaining the security and integrity of the financial sector’s digital infrastructure.

The Road Ahead

Preparing for Enforcement in 2025

As the enforcement of the European Union’s Digital Operational Resilience Act (DORA) draws near in January 2025, banks and their IT suppliers are gearing up for stricter cybersecurity and IT management requirements. DORA, enacted last year, will compel financial institutions to implement comprehensive IT risk management protocols, conduct digital operational resilience tests, engage in intelligence sharing on cyber threats, and manage risks associated with third-party vendors effectively. This legislative shift promises to elevate the standards of cybersecurity within the financial sector and is prompting a thorough review of existing protocols and systems to ensure compliance.

Financial institutions are now adopting a range of anticipatory measures to adhere to this new regulatory framework. These measures include enhancing their digital infrastructure to withstand cyber threats, improving internal processes for better risk assessment, and ensuring that third-party vendors meet DORA’s stringent criteria. The upcoming changes reflect a broader trend towards increased vigilance and proactive management of digital threats, aiming to safeguard the stability and integrity of the financial system in an increasingly interconnected digital landscape.

Subscribe to our weekly news digest!

Join now and become a part of our fast-growing community.

Invalid Email Address
Thanks for subscribing.
We'll be sending you our best soon.
Something went wrong, please try again later