New regulations are forcing organizations to take cyber security more seriously.
Sean Gladwell | Moment | Getty Images
Tough new European Union regulations requiring banks to strengthen their cybersecurity systems officially take effect Friday — but many financial services firms in the bloc are not yet fully compliant.
of the EU Digital Operational Resilience Actor DORA, requires financial services firms and their technology suppliers to harden their IT systems to ensure industry resilience in the event of a cyberattack or any other form of disruption. It entered into force on January 17.
Penalties for violating the new law can be substantial. Financial services companies that break the new rules could face fines of up to 2% of annual global revenue. Individual managers could also be held responsible for violations and face sanctions of up to one million euros ($1 million).
So far, the compliance rate of financial services firms with the new rules has been mixed, according to Harvey Jang, chief privacy officer and deputy general counsel at IT giant Cisco.
“I think we’ve seen a mixed bag,” Jang told CNBC in an interview. “Of course, more mature-stage companies are looking at this at least a year out — if not longer.”
“We’re really trying to build this compliance program, but it’s so complex. I think that’s a challenge. We’ve seen that with GDPR and other broad legislation that’s open to interpretation — what does it really mean to comply? It means different things to different people,” he said. is.
This lack of common understanding of what qualifies as strong DORA compliance has in turn led many institutions to raise security standards to a level that actually exceeds the “baseline” of what is expected of most companies, Jang added.
Are financial institutions ready?
Under DORA, financial firms will be required to undertake rigorous IT risk and incident management, classification and reporting, operational resilience testing, cyber threat and vulnerability intelligence sharing and third-party risk management measures.
Companies will also be required to carry out “concentration risk” assessments in relation to the outsourcing of critical or important operational functions to external companies.
AND A census survey of 200 UK chief information security officers commissioned by Orange Cyberdefensethe cyber security department of a French telecommunications company Orangeshowed that 43% of financial institutions in Britain are not yet fully DORA compliant.
This is worrying because, although the UK is now outside the European Union, DORA applies to all financial entities operating within EU jurisdictions — even if they are based outside the bloc.
“While it is clear that DORA has no legal reach in the UK, entities based here that do work or provide services to entities in the EU are subject to the regulation,” Richard Lindsay, principal advisory consultant at Orange Cyberdefense, told CNBC.
He added that a major challenge for many financial institutions when it came to achieving DORA compliance was managing their key third-party IT providers.
“Financial institutions operate within a multi-layered and extremely complex digital ecosystem,” said Lindsay. “Monitoring and ensuring that all parts of this system are demonstrably compliant with the relevant elements of DORA will require new thinking, solutions and resources.”
Banks are also adding higher levels of oversight in their contract negotiations with technology vendors because of DORA’s strict requirements, Jang said.
Cisco’s chief privacy officer told CNBC that he thinks there is compliance when it comes to the principles and spirit of the law. However, he added, “any law is a product of compromise and therefore, as it becomes more prescriptive, it becomes challenging.”
“The principles we agree with, but any legislation is a product of compromise, so the more it prescribes, the more challenging it becomes.”
Still, despite the challenges, the broad expectation among experts is that it won’t be long until banks and other financial institutions reach compliance.
“Banks in Europe already comply with significant regulations covering most of the areas that fall under DORA,” Fabio Colombo, EMEA head of financial services security at Accenture, told CNBC.
“As a result, financial services institutions already have developed governance and compliance capabilities, with incident reporting processes in place and robust ICT risk frameworks.”
Risks for IT suppliers
IT service providers can also be penalized under DORA. The rules threaten taxes of as much as 1% of average daily worldwide income for up to six months.
“These sanctions are necessary,” Brian Fox, chief technology officer of software supply chain management company Sonatype, told CNBC. “They are a powerful motivator, forcing leaders to take compliance and operational resilience more seriously than ever.”
Orange Cyberdefense’s Lindsay said there is a long-term risk that financial services firms will end up moving their critical security functions and services in-house.
“Advances in technology can enable financial institutions to bring services back in-house, streamlining this aspect and reducing the risk of non-compliance,” he said.
“In any case, existing contracts will need to be updated to ensure that compliance is contractually mandated and monitored between entity and provider,” Lindsay added.
Meanwhile, there are several other cybersecurity-focused regulations that organizations will have to come to terms with, such as Network and Information Security Directive 2 or NIS 2and the Cyber Resilient Act. The former entered entered into force in October.
“As with any new regulation, there will certainly be a transition period as organizations adapt to the new requirements and standards,” Sonatype’s Fox told CNBC. “This is the beginning of a long journey toward improving software security and resilience.”
