Tougher cybersecurity legislation is putting considerable financial pressure on Dutch financial services companies. Research by Rubrik shows that four in 10 companies in this sector have spent more than €1 million on cybersecurity in the past two years.
In particular, compliance with the European Digital Operational Resilience Act (DORA) involves significant costs. The survey shows that nearly a third of organizations have invested between €0.5 million and €1 million in compliance. Despite these efforts, the threat level remains high.
Third-party cyber attacks are the biggest threat (32%) to the industry, followed by ransomware attacks (30%). In addition, more than a quarter of Chief Information Security Officers (CISOs) see software vendors as a weakness. Internal threats, such as human error, are cited by one in 10 CISOs as the biggest risk.
More than half of CISOs (54%) say they experience increased pressure from European regulations. They say they need an empathetic approach to better manage these challenges. The complexity of data in the cloud plays an important role in this: all CISOs surveyed see this as a problem, with 88% even calling it a moderate to major problem.
"Given the growing threat of ransomware and cyberattacks, implementing regulations is required and costly," said James Hughes (VP of Solutions Engineering and Enterprise CTO at Rubrik). Understanding what data is most critical, where it resides and who has access to it is essential to identifying, assessing and mitigating cyber risks."
Moreover, there appears to be a disconnect between IT and the rest of management. As many as 78% of CISOs in the Netherlands feel that their IT budgets are not aligned with management's goals for regulatory compliance. DORA sets strict requirements, such as contractual safeguards and contingency plans, to reduce reliance on outside parties and mitigate risk.
The law also requires regular digital resilience testing and attack simulations. Despite the challenges, 64% of CISOs are confident in the security of customer, partner and employee data in the cloud. Hughes sees that the rest of management often makes a different assessment of the cost of compliance than the CISO and the IT department itself.
"As regulators become increasingly stringent, many CISOs feel that their budgets do not reflect management's level of commitment to compliance," he states. "This gap not only puts organizations' security at risk, but also their ability to comply with changing regulations."
