What is the Digital Operational Resilience Act, and why does it matter?

The Digital Operational Resilience Act (DORA) is a game changer for financial organizations, providing a comprehensive rulebook that covers everything financial organizations need to do to become and remain digitally resilient against cyber threats. In this blog, we’ll provide a run-down of everything you need to know about DORA.

 

What is the Digital Operational Resilience Act?

The Digital Operational Resilience Act ( DORA) is European legislation that requires any financial organization in the European Union (and those that want access to it) to have safeguards in place to mitigate cyber-risks. The legislation requires these businesses to recognize and mitigate any reasonably identifiable circumstances that could lead to an event that could compromise the digital operational security of the firm.  

 

What is a reasonably identifiable circumstance?

Any common vulnerability, exposure, or well-known cyber threat could give rise to a reasonably identifiable circumstance. Something is a reasonably identifiable circumstance if the source it’s coming from is a trusted, independent expert that puts you on express notice that a common vulnerability, exposure, or significant cyber threat poses a risk to your business. 

 

What credible agencies should businesses be looking to for guidance on reasonably identifiable circumstances?

• National Cyber Security Center (NCSC)

• Federal Bureau of Investigations (FBI) 

• National Institute of Standards and Technology (NIST)

• US Department of Defense 

• US Department of Homeland Security

• The Global Cyber Alliance (GCA)

 

Why is digital operational resilience important in the financial services sector?

The interconnected nature of the financial services sector means that when something goes wrong within it, a ripple effect impacts those far and wide. Nowadays one of the most significant threats to the security, stability, and business continuity of the financial sector is the disruption caused by a cyberattack (such as ransomware infections or DDoS). 

Business Email Compromise (BEC) provides the starting point for 90% of targeted cyberattacks such as ransomware attacks, CEO fraud, vendor fraud, and more. So, there’s never been a more crucial time for the financial institutions to strengthen their digital resilience to prevent these. In doing so, they’ll protect business processes, business continuity, and sensitive data, and ultimately comply with DORA. 

 

When will the Digital Operational Resilience Act be enforced?

DORA is expected to be introduced this year (2022) and be fully enforced by 2024, so businesses need to start preparing now.

 

Who does the Digital Operational Resilience Act apply to?

There are two groups of businesses DORA applies to. The first is any organization that manages, transfers, holds, insures, invests, creates, protects, or raises money and those that grade investments. 

This includes:

• Banks

• Auditors and Audit Firms 

• Investment Firms

• Management Firms 

• Credit Institutions

• Insurance & Reinsurance Firms

• Brokers

• Credit Rating Agencies

• Crowdfunding Services 

• Trading Venues

• Trade Repositories 

• Crypto-Asset Providers

The second group of businesses DORA applies to is third-party vendors that supply ICT software (but not hardware). 

This includes:

• ICT Vendors 

• Provides Digital and Data Services

• Cloud Computing

• Software

• Data Analytics 

• Data Centers

 

Does the Digital Operational Resilience Act (DORA) apply to the UK and USA?

DORA has been introduced by the European Parliament and so it applies to the above businesses that are based in the EU. But it also applies to any business that has offices in the EU or wants access to the above businesses or clients in the EU market. For example, if a bank in the United States wants to do business with a bank based in the EU, or access clients in the EU, it must comply with DORA. So, this means that DORA is applicable worldwide.

 

Is Business Email Compromise (BEC) a reasonably identifiable circumstance?

The Federal Bureau of Investigations (FBI) has been warning of Business Email Compromise in its IC3 Internet Crime Report since 2015. The FBI is a trusted independent expert, with form for getting things right, and no skin in the game. So, businesses can safely accept that BEC is a reasonably identifiable circumstance that they’re required to mitigate. 

“Courts don’t expect you to see around corners, they expect you to read the writing on the wall. ​​Business Email Compromise (BEC) remains the most significant cyber threat by victim loss, and the starting point for the majority of attacks. So, BEC is a threat and it needs to be addressed.” Dr Rois Ni Thuama, PhD 

 

What are the benefits of the Digital Operational Resilience Act?

Thanks to DORA, businesses will be enabled to make better decisions as DORA highlights what they need to do in one place, and leaves nothing out. What’s more, by complying with the provisions outlined in DORA, businesses will become more resilient to cyberattacks, unscrupulous vendors, and other threats. Other benefits of this European parliament legislation include:

• More robust supply chains

• Smoother exit strategies

• Defensibility in the event of an attack

• Protection from opportunist criminals

 

What are the consequences of noncompliance with DORA?

DORA puts the final responsibility to enact the right measures to mitigate cyber threats on board members and directors. It’ll be these people who are held accountable if a business fails to comply. Directors and boards now need to understand and know how to mitigate risks (reasonably identifiable circumstances). If they don’t, they could face:

• Reputational damage
• Shareholder litigation
• Regulatory fines
• Criminal sanctions

Content Source: https://blog.redsift.com/ Jun 2022