As far as cybersecurity is concerned, the financial services sector should be considered as a major innovator. That can be a blessing and a curse. On the one hand, its inclination to embrace new technology has directly led to the proliferation of innovations like open banking and tokenization. Conversely, that willingness to move fast and break things has seen criminal gangs sneak through the as-yet-unseen cracks in the cyber-defences of new products and platforms. The vast volume of data and transactions financial institutions process makes these firms highly attractive to these threat actors, who continuously adapt new techniques to infiltrate and drain banks and customers of their hard-earned money.
Most commonly, financial services companies are facing threats in the form of the exploitation of API vulnerabilities, distributed denial of service (DDoS) attacks, phishing, social engineering, and malware.
Unit 42, Palo Alto Networks’ threat intelligence arm, found financial services customers suffer the most from business email compromise (BEC) attacks, with nearly one in five of our BEC cases happening in the sector. The average cost of a data breach is approximately £3.48 million every year. Today, the problem has become so prominent that even supra-national organisations are trying to curb the effect of ransomware attacks on financial firms.
Acting as the world’s largest regulatory block, the EU has introduced the Digital Operational Resilience Act (DORA), set to be implemented in 2025. Since its announcement, DORA has caused companies in the sector to wonder – how does the new regulation affect British financial institutions, and are they prepared for it?
Preparing for DORA
The primary goal of DORA is to ensure that governance, rules, and frameworks related to digital resilience are incorporated into a comprehensive strategy that applies to financial organisations.
This necessitates a change in roles, meaning that the executive committee and CEOs will now primarily be in charge of defining this approach and holding each other accountable.
Digital resilience should be a top priority for financial organisations, given the concerted approach required towards developing this, as well as the close collaboration needed between departments. This is a critical step towards ensuring financial institutions remain compliant with the new regulatory framework.
As a result of DORA, financial institutions will be increasingly under scrutiny from regulators, and banks and technology companies that provide services that will be required to demonstrate that their procedures and services are resilient. But why do financial institutions need to demonstrate their resilience in procedures and services?
The answer lies in the systemic risk to the financial system posed by major breaches. Cyberattacks increased by 38% alone in 2022. In the first quarter of 2023, meanwhile, the United Kingdom lost more than £53 million to online banking fraud incidents.
Financial implications of the Act
Becoming digitally resilient may be challenging for certain players. While DORA would result in a more robust market, businesses are understandably apprehensive about the financial repercussions of the legislation.
Some organisations have voiced concerns about the potential impact of DORA on innovation and competitiveness within the financial services sector, as well as compliance costs and operational disruptions during implementation and alignment with existing cybersecurity frameworks. Additionally, organisations will need to consider how to tackle challenges around data protection and privacy, as well as the need for skilled cybersecurity personnel.
The maturity and complexity of governance in any financial services company are likely to impact how they comply with DORA. For instance, companies with lower maturity profiles and less of a competitive edge in the market may need to invest more resources to meet DORA’s requirements. This is because, unlike their more mature counterparts, their core competencies are still being developed, as are their relationships with suppliers and partners (where often much of the cybersecurity risk lies.
What’s more, they tend to lack the necessary cybersecurity skills internally. Indeed, at every maturity level, senior management needs to conduct thorough evaluations of the current state of cyber resilience in the business to identify any existing gaps and allocate the appropriate resources for compliance.
Why the sector needs to make a move now
While DORA outlines regulatory measures for EU companies, many of them have their headquarters or operations in the UK. According to Mayer Brown, failing to meet DORA’s requirements could mean that British financial institutions with operations within the EU sacrifice a portion of their customer base. EU-headquartered institutions with operations in the UK will want to ensure they implement the regulatory requirements across their entire operations to avoid potential fines.
Enhancing operational resilience in the financial sector is crucial for safeguarding the interests of consumers and maintaining the stability of financial markets. DORA’s provisions aim to minimise the impact of disruptions on consumers’ access to financial services and prevent systemic risks that could arise from operational failures within individual institutions.
The impending implementation of DORA presents a critical juncture for the financial services sector, requiring firms to prioritise digital resilience and executive accountability. While compliance may entail significant investment, proactive adoption is essential to mitigate long-term costs.
Global firms need to anticipate DORA’s implications beyond EU borders, ensuring continued compliance and operational resilience. Ultimately, the act represents an opportunity to fortify defences, safeguard consumer interests, and uphold financial market stability in an increasingly digital world.
Simon Crocker is a systems engineering director at Palo Alto Networks.
Read more: How low-code and AI can conquer the EU’s digital transformation lag
