Ransomware attacks, DDoS attacks and online fraud make the dependence on digital systems and processes painfully visible. Consequently, organizations in the financial sector are taking cybersecurity measures to deal with the threat of these. Legally, until recently it was sufficient to comply with the requirements of the AVG. In practice, the measures taken often prove insufficient for the threat landscape an organization finds itself in.
To increase digital resilience in the financial sector and reduce the risks of cyber attacks, the European Commission introduced the Digital Operational Resilience Act (DORA). The requirements from the DORA often require additions to current cybersecurity policies. Having a firewall, antivirus program and a standard backup policy are no longer sufficient.
The DORA contributes to heightened control over the number of cyber attacks. There is a focus on the risks of outsourcing to chain partners by organizations in the financial sector. With the introduction of the DORA, responsibility for cybersecurity policies lies with the directors rather than the IT department, as is often the case today. They can be held jointly and severally liable and suspended by the AFM.
The DORA has five pillars. Virtually all organizations in the financial sector must meet requirements on four of the five pillars of the DORA as of Jan. 17, 2025. Below is a brief explanation of each pillar. A more detailed description can be found in Partner in Compliance's research paper here.
First, there is the pillar of risk management. Current deficiencies, the threat landscape and cyber risks should be analyzed. Policies and procedures should be formulated. Consider a baseline measurement, a gap analysis and an advance risk analysis. A plan of action for a cyber attack should be ready. All stakeholders and their responsibilities should be identified.
Then there is the pillar of testing and auditing, where periodic resilience testing, at least annually, must be performed by an independent, internal or external, team. Additional testing is required for major changes. The results of the tests and audits are the basis for rewriting the security policy.
Chain partners is the third pillar. Reducing vulnerability due to cyber attacks on the digital infrastructure at chain partners gets a lot of attention in the DORA. Contractual agreements with a chain partner must be reported to the AFM. The organization itself remains responsible for the digital security of the data and must include the security measures of the chain partners in audits and other controls.
The fourth pillar is mandatory reporting/ Cyber incidents must be reported to the AFM. From an initial notification to a final report. This contributes to being able to act, by the AFM and others, on cyber threats in the financial sector and to understanding vulnerabilities and trends.
Finally, there is the pillar of information exchange. The DORA provides tools for the secure and well streamlined mutual exchange of information. For example, about cyber threats, effective security measures and other tips for increasing digital resilience. They are tools, not obligations.
Based on its knowledge and experience, Partner in Compliance has formulated six recommendations to address the challenges posed by DORA. They will help your organization protect itself from digital threats and ensure robust digital operational resilience.
First, companies should start now to obtain a clear picture of the requirements from CORA and take the first steps to be compliant with DORA by January 17, 2025. Companies should use the PDCA cycle (whereby making the cyber security policy compliant with DORA should be seen as a continuous improvement process.
The third step is to review and revise - where necessary - contracts with chain partners. Also, companies would do well to include privacy requirements from both the DORA and the AVG in their cybersecurity policy (and in doing so take into account the interaction between both regulations).
Next, companies need to organize training sessions to increase employee awareness of cyber dangers and policies. Directors also need training to increase their knowledge, enabling them to make the right decisions in favor of a digitally safe and resilient organization. Finally, companies should create a crisis plan so that, in the event of an incident, they can act quickly and effectively.
