Filenews 15 August 2024
Banks and IT companies will face another challenge in the near future, as they will soon face tougher scrutiny by the European Union (EU) through DORA.
DORA is essentially nothing more than Digital Business Resilience (DORA), a law passed last year but likely to be implemented until January 2025. Essentially, DORA requires banks, insurance and investment firms, and businesses in the IT industry to strengthen their security. The EU regulation also seeks to ensure that the financial services industry is resilient in the event of severe disruption.
Such outages could include a ransomware attack that causes a financial company's computers to shut down, or a DDOS (distributed denial of service) attack that forces a company's website offline. The regulation also seeks to help companies avoid major outage events, such as last month's historic system crash caused by cyber firm CrowdStrike. The EU regulation also seeks to ensure that the financial services industry is resilient in the event of severe disruption. Such outages could include a ransomware attack that causes a financial company's computers to shut down, or a DDOS (distributed denial of service) attack that forces a company's website offline.
The regulation also seeks to help companies avoid major outage events, such as last month's historic system crash caused by cyber firm CrowdStrike. In the future, such an event would fall under the kind of service disruption that would face scrutiny under the new EU rules. Mike Sleightholme, president of fintech firm Broadridge International, notes that a major factor in DORA is that it doesn't just focus on what banks are doing to ensure resilience — it also takes a close look at companies' technology suppliers.
DORA essentially requires banks to conduct more rigorous risk management related to their IT activities, digital operational resilience testing, information sharing on cyber threats and vulnerabilities, and to take steps to manage risks for third parties.
In light of this, companies should assess their "concentration risk" versus outsourcing critical operational functions to third-party companies since these IT providers often provide "critical digital services to customers," Joe Vaccaro, general manager of Cisco-owned internet quality monitoring company, ThousandEyes, told CNBC. "These third-party providers now need to be involved in the testing and reporting process, which means financial services companies need to adopt solutions that will help them uncover and map these sometimes hidden dependencies with providers," Vaccaro said. Third parties should also "expand their ability to ensure the delivery and performance of digital experiences not only in the infrastructure they own, but also in the infrastructure they don't have," he added.
