Cyber hazards have been at the top of companies’ ranking lists for several years in a row. The financial sector is exceptionally attractive for cyber criminals. According to a 2019 study by the Boston Consulting Group, banks are attacked 300 times more often than companies from other industries. Furthermore, attacks are seeing a sharp increase and are becoming significantly more “intelligent”. Furthermore, if you take into account the fact that – according to the latest report by IT security specialist Trend Micro – financial institutions are the most common payers of ransom money to cyber extortionists, clearly illustrating the following: The financial industry faces an exceptionally high cyber risk and thus an exceptionally serious obligation to face these risks with excellent preparation, comprehensive concepts, intelligent technical assistance and effective teams. With the DORA Regulation (Digital Operational Resilience Act) – which have come into effect in January – the EU has created international guidelines for protecting the financial IT landscape and unifies existing European and national policy.
DORA – What is it about?
Now that the DORA Regulation has come into force, all financial service providers must prove that their organization can withstand many different ICT crises across levels and departments and that the operational stability of digital systems is consistently ensured. As a result, it brings into focus the ability to fend off cyber risks and the ability to act in an emergency. Depending on the size of the company and the risks posed by the business model as well as the respective financial company’s degree of digital operational resilience, it will be necessary to strengthen many skills in risk management or perhaps acquire new ones while keeping proportionality in mind. Specifically, organisations must ensure the following:
Risk management is made into a top-level issue: The guidelines stipulate that management assume specific responsibility for IT security. Managers must comprehend the consequences of various risks and the expectations set for them. Apart from legally required continuing education on IT risks, they are obliged to carry out a risk assessment not only for their own company but also for all third-party providers. They must define managers, authorise business continuity and restart plans, authorise audits and adequately inform themselves about ICT incidents as well as collaboration with third parties. This also includes building quick information pathways, ideally making important information consistently up to date and never more than three clicks away. Therefore, DORA requires companies to make ICT risk management a top-level issue.
▷ Specifically and continually identify risks: Companies must be familiar with their security goals
and regularly readjust them. They are obliged to consistently monitor all systems and interfaces for anomalies 24/7, detect and evaluate discrepancies as well as document risks.
▷ Responding swiftly: In an emergency, organisations must be able to immediately
respond to an attack or an anomaly and carry out the appropriate countermeasures. The same applies for implementing emergency prevention, managing restoration plans and reducing risks.
▷ Communicate professionally and strategically: Smooth, secure and direct – the
new directive furthermore sets high requirements for communications processes and structures with relevant internal and external target audiences. An important goal is the fast flow of information. As a result, incidents must be fully documented and communicated internally as well as externally in order to disseminate knowledge. In severe cases, there is now an official reporting obligation for the entire financial industry – not just for major institutions.
▷ Comprehensive testing and training: Companies must prove that their systems, data and processes are always up to date. To that end, they are required to perform robust and comprehensive tests on digital operational stability (Operational Resilience Testing). Furthermore, Threat-Led Penetration Tests (TLPT) are required at least every three years, i.e., a company’s cyber resilience must be tested via a simulated attack from what is known as an ethical hacker.
Ultimately, all the requirements are geared towards ensuring that the parties responsible can make fast, informed decisions in critical situations and that they are resilient, i.e. prepared for alternatives. This is because DORA requires a holistic view – practically a perspective of a company’s blueprint.
So, what do you need to do to strategically position your own organisation and make it resilient against cyber hazards?
Manage data without redundancy and answer all questions from a single source
Optimise the data situation: Ensure high availability, topicality and quality
The most important foundation is a solid database with high data quality, data availability and interconnection. You can only take the right path to your goal if you know where you stand. However, what may sound simple is immensely challenging in many companies. On the one hand, this is because data are often stored in silos and are not very detailed in their own right. On the other hand, it is because data are not even recorded at all or are not maintained up to date. For instance, an important factor for implementing the DORA Regulation is performance data from IT systems, data on the threat landscape and the criticality of various processes and systems as well as information on incident response plans with escalation hierarchies and communications strategies. Having a perspective of your own company’s horizon is an important core criterion. Can managers easily verify which suppliers meet the DORA requirements? Do they have an up-to-date view of the overall global hazard situation? Even seemingly simple things should be thoroughly reviewed again. Is there complete and up-to-date contact data for all relevant persons that must be contacted in case of an ICT emergency? Is there an overview of people who possess important know-how in the company? These minor things make a difference in an emergency.
Documenting intelligently: Identify relationships, act with purpose
A solid database is the necessary foundation. However, it will not become a useful work tool until the data is intelligently interconnected. Correlations, dependencies, assignments – the database needs to be organised and structured. In other words, processes and procedures must be identified, classified and documented in a matter that makes them easy to update and interconnectable in increasingly new combinations. If data is intelligently interconnected, then not only does it provide useful insights but also allows for processes to be automated – from SOA (Service Oriented Architecture) to threat analyses, structure analyses and the information network to even determining the required protection – thereby easing the burden off of the organisation. Rule-based data repositories give logic to the data and ensure that all the links are individually tailored to the needs of the company.
For instance, if there are incident-response plans in digital form and are linked to the contact data for the corresponding teams, then automatic workflows can be initiated. Or if system data from proprietary systems are linked to live reports from cyber warning services, then automated alarms can be triggered, or monitoring, evaluation, control or verification rules of any kind can be initiated. It is exceptionally helpful to digitally record the DORA Regulation itself and then interconnect them to the business architecture – from processes and roles to applications, customers and suppliers. Doing so enables GAPs and weaknesses to be scanned and the regulatory risk to be determined. Data also exists in such a repository free of redundancy. Now only does this reduce the required maintenance but also eliminates sources of errors.
However, a database is only as good as how it is currently maintained. Therefore, it is important to ensure that data is not only intelligently interconnected but also easy to maintain and document. If the data source is outside or in another system, then intelligent interconnection ensures consistency.
User-friendly input screens, comprehensive interfaces to existing systems and automatic querying of the latest data are essential for making up-to-date and forward-looking analyses. Ideally, the infrastructure is created in a way that the data can also flow in reverse, i.e. from the comprehensive database back to the original systems to reduce the amount of management required there as well
Detailed visualisation: One image of the situation – many perspectives
Even if a lot can be automated nowadays: In the end, it is people who make the important decisions. Therefore, data and information should be available in a “human-readable” form, appropriate for its target audience. It is important for the visualisation to be made in as many diverse and unique ways as possible so that every decision-maker can receive input that is ideal for how they think and work.
Tables, matrix views, workflows or trend charts – the better the visualisation, the faster and more purposeful the action. Because of this, it is important for all suppliers and systems have the essential characteristics, key figures, data, facts, quality measurement values, aggregations/consolidations and possible outage impacts available but present them in a way that reduces the complexity for the user.
Manage, evaluate and monitor: Greater efficiency with less effort
In the end, the implementation of a compliance requirement always depends on the ability to render the required proof and inspections. There is increasing overlap among requirements of different guidelines. As a result, DORA finds itself among many regulations that are familiar from existing regulations such as MaRisk/BAIT, bsi 200 1-4 or the EBA Guidelines on ICT and Security Risk Management Outsourcing Arrangements. A structured, interconnected, and intelligent monitoring assessment also helps here.
A rule-based and configurable analysis and reporting can connect several assessments – from DORA to the GDPR General Data Protection regulation – with each other and handle several requirements with one answer – and it can do so spontaneously, periodically or permanently, manually, as warranted, automatically, or intelligently. Ideally, different target audiences and topics of a company will also form a structured, sustainable control management (IT, security, finance, legal, etc.).
Intelligent data links can significantly reduce the effort to successfully implement the DORA Regulation over the long term. It requires high data availability and quality as well as an intelligent interconnection of existing data via dashboards, graphics, tables, workflows, and alarms. The following holds true for managers: “If they belong together, leave them together. As a result, you only need to maintain the information network, i.e. the interconnection of all of the ICT’s relevant architecture assets, only once and obtain a company DNA that allows you to answer any questions from a single source – from risk, monitoring, security and emergency prevention to outsourcing, restart, rescission, testing and simulation of your systems.”
About the author
Dr. Roland Pulfer, Founder of Business-DNA Solutions GmbH and GRC expert at F24 AG, a software-as-a-service provider. He regularly shares his knowledge as a speaker as well, most recently at Cologne’s OpRisk forum on “DORA – intelligently implementing a requirement via digitalization”.