IT Solutions
Depend on us to get your organisation to the next level.
Sectors
BCN have a heritage of delivering outcomes through our cloud-first services and currently support over 1200 customers across specialist sectors.
About Us
Your tech partner
A Secure & Stable Digital Landscape for the Financial Services Industry. Posted 05th December 2024
Full enforcement of the new ICT digital resilience regulation begins on the 17th of January 2025. But what will the impact be for Financial Services organanisations? In this article, BCN reviews the process, the benefits and the consequences of non-compliance for this potentially game–changing legislation.
The process of digital transformation across the financial services industry has delivered many benefits and advantages, particularly over the last decade. Greater efficiency, elevated customer experiences and entirely new ways of storing, accessing and processing data for business-critical analytics & insights have all been made possible by leveraging digital technology. With the advent and adoption of Artificial Intelligence gathering pace, it’s easy to see how financial services operations can be adapted even further for more positive outcomes in the near future.
However, such accelerated change in a short period of time inevitably drives regulatory changes to ensure safety and compliance in a secure and industry-wide way. The Digital Operational Resilience Act (DORA) was created and formally adopted in December 2022, as part of the EU’s broader Digital finance Package, to comprehensively attend to this.
As the deadline of the 17th of January 2025 for full enforcement draws near, the BCN Financial services Team wants to reiterate some key points and advantages of DORA in the context of any wider IT & Digital technology strategy.
The connected nature of financial services, and the data that moves around it, makes it a prime target for increasingly frequent and sophisticated cyberthreats. Managing these risks, exposures and potential vulnerabilities from both a collective and individual perspective is a prime directive for DORA.
In the broadest terms this means adopting a proactive three-point program across your entire organisation, and any third-party providers that processes your data, to effectively:
Adhering to a five-point framework helps guide your DORA strategy and program of activity across Information & Communication Technology (ICT) platforms and digital technology.
Detailed policies, procedures and controls must be created to address vulnerabilities for every information and ICT asset. This is relevant to all hardware, software with all components and infrastructures including any premises or data centres in the DORA scope. This must be documented with data management processes and available to the relevant authorities on request.
Clear definitions must be applied to set out what is a major incident and a timeframe for reporting it to senior management. Any significant incident should also be shared with the relevant regulatory authorities in a similar way. Systematic and visible management needs to be applied for all detected breaches, disruptions and data loss.
Understanding how resilient your organisation is at all times requires vulnerability assessments, penetration tests and stress tests across all ICT assets in simulated scenarios. DORA actively encourages these tests to be carried out by competent and authorised third-party providers for an unbiased and impartial process and information gathering. The results should always be documented and used for iterations, developments and improvements where weaknesses have been highlighted.
The modern financial service industry reliance on third-party ICT services and providers means they must be in scope for DORA. Due diligence is required for cloud and software vendors or partners with contractual compliance requested when engaging with partners. DORA is looking to mitigate dependency risks to ensure that disruptions from external partners do not compromise your own ICT environment and assets.
The financial services ecosystem needs to rely on a collective resilience that is driven by information sharing and communication across all organisations. Exchanging this kind of intelligence will create a much stronger and more secure industry while reducing the impact of isolated incidents to prevent them becoming systemic challenges. Open and honest lines of communication establish trust across every stakeholder in the financial services space for greater stability overall.
DORA aims to make the entire financial services industry a more resilient, stable and secure environment for all providers and ultimately the end users. Essentially, it encourages all financial institutions to demonstrate they can withstand, and recover, from disruptions to their ICT assets and networks.
Although the ISO/IEC 27001 accreditation covers much of the regulatory requirements inherent in DORA, there are still certain issues that fall outside of this overlap. As an example, specific timelines, third-party compliance and information sharing that DORA demands will need additional attention for ISO/IEC 27001 holders.
It’s also important to understand that DORA is created with proportional requirements in mind to consider the size, risk profile and the nature of operations. Any financial service organisation with less complex operations and fewer interactions will therefore have simpler obligations to fulfil.
As an EU regulation, DORA will become directly binding on all EU member states as it becomes fully effective in January 2025. However, any UK-based financial service organisation that currently operates in EU countries or serves EU customers must also be compliant. With the global nature of the industry, it makes sense to maintain DORA regulation for new business acquisition to avoid any extra admin with potential clients and opportunities that may require it.
For individual financial service organisations, the benefits are clear to avoid financial losses from any disruptions through a more resilient posture. Compliance with more robust risk management, regular testing and greater security protocols, with the documentation to demonstrate commitment, creates a great foundation for future proofing any digital strategy.
Collectively, it enforces harmonised regulation for the industry in European territories in the simplest way. Trust is acknowledged across all parties in the financial services ecosystem and the sharing of information allows for the greatest defence from disruptions and threats for all involved.
From 2025, failure to be demonstrably DORA compliant could incur financial penalties in the result of breaches, disruptions or attacks. Perhaps more critically, it would cause serious reputational damage that can be much more difficult to remedy in the long term.
January the 17th 2025 is only the beginning of the regulation. Continuous maintenance must be activated at regular intervals to always ensure compliance. With the cyber security landscape always evolving, it’s likely there will be numerous additions and revisions to DORA to match the landscape it protects against.
Ultimately, the goal is to create and develop a culture of resilience, driven by people, across all ICT applications for every organisation in the financial services industry.
Creating a strong partnership with a trusted, knowledgeable and experienced Managed Service Provider for your ICT and digital tools is the most sensible way of staying across regulations like DORA and fulfilling the actions required for compliance.
The BCN team is always happy to start an informal conversation about where your organisation is on a digital operational resilience journey and cyber security. Through assessment, consultation and solution implementation, we ensure compliance with shared responsibility in the safest hands possible.
Feel free to contact us as soon as you are ready.