Skip to main content

With the entry into force of DORA (Digital Operational Resilience Act) in the European Union on January 16, 2023, the financial sector faced a 24-month implementation period, that is, until January 17, 2025. As the end of this period approaches, there is an increased need to comply with regulatory standards, as well as a search for solutions that can help.

What is DORA?

The Digital Operational Resilience Act is a European Union legislation aimed at strengthening the operational resilience of information and communication technology (ICT) systems in the financial sector.

Usually, before this legislation, financial institutions resolved operational risks by allocating capital to cover potential losses. However, this method did not cover all the crucial aspects to ensure strong operational resilience, especially regarding ICT systems.

The main objective of DORA is to ensure that financial entities and their suppliers are able to defend themselves, respond, and recover from incidents related to ICT systems, such as cyberattacks or ransomware. The implementation of the imposed measures will represent high costs for financial institutions, especially in the insurance sector, since, given the complexity and fragmentation of their value chain, the investment in implementation will be higher.

What are the requirements imposed by DORA on financial institutions?

DORA is based on 6 fundamental pillars for the operational resilience of ICT systems:

  1. Risk Management: DORA establishes a framework for risk management, which includes a risk-based approach for the management of networks and infrastructures, the implementation of policies for vulnerabilities, the use of robust authentication mechanisms, and the limitation of physical and virtual access to resources and data of ICT systems.
  2. Incident Reporting: Requires the monitoring and reporting of significant incidents to authorities, with initial, intermediate reports on the progress of resolution, and a final report after the analysis is completed.
  3. Digital Operational Resilience Tests: Requires regular vulnerability tests, including independent annual tests and advanced penetration tests.
  4. Information and Intelligence Sharing: Promotes the sharing of threats and best practices to strengthen cybersecurity processes in the financial sector.
  5. Third-Party Risk Management: DORA places a significant focus on managing the risks associated with external ICT service providers. Critical ICT providers will be subject to a supervisory framework with strict rules, and financial entities must ensure that they comply with DORA’s requirements.
  6. Cyber-Resilience and Operational Continuity: Ensures the operational integrity and business continuity, including measures related to the protection, detection, containment, and recovery of incidents in ICT systems.

How can start-ups help?

Several of the requirements imposed by this regulation will cause friction in organizations, and the use of external solutions will be crucial. An example is the performance of digital operational resilience tests that will be difficult to implement, requiring the performance of advanced tests such as the Threat-Led Penetration Testing (TLPT) methodology to simulate potential attacks that may occur.

What is the problem? In addition to the demand that performing these tests requires in terms of mobilization of resources and time, which in the case of security teams of smaller banks and insurers is very scarce or non-existent, the teams themselves are not prepared to do it, since before DORA, the only tests imposed by regulation were only simpler and more generic tests that did not aim to simulate a cyberattack in a realistic way.

Thus, the most efficient solution in terms of costs may not be to constitute new internal teams, but to resort to external companies with solutions dedicated to red teaming. This is the case of Ethiack, a company based in Coimbra, which developed a solution for performing penetration tests continuously and automatically.

The company has developed an autonomous ethical hacking solution, which simulates the approach and creativity of an ethical hacker (a hacker hired by the organization itself), which allows tests to be carried out at scale and at a lower cost. Additionally, since it uses generative AI, Ethiack can continuously improve performance. These types of solutions are critical to helping financial institutions comply with the requirements imposed on conducting the most advanced penetration tests, without the substantial expense associated with producing them.

Another important case is, for example, assistance in managing third-party risks. According to a study by Verizon, the financial sector was the second most affected sector by attacks on its value chain, compared to 19 other industries. In 2023, the sector saw a total of 3,348 security incidents, about 11% of the total value of all incidents reported.

An example of a company combating this problem is Codacy. Based in Lisbon, they developed a solution for the continuous monitoring of code for vulnerabilities, CVEs (Common Vulnerabilities and Exposures), and other risks. By allowing real-time monitoring, the solution ensures that vulnerabilities are not introduced into the value chain from the beginning of the development cycle.

What can be expected in the coming times?

With the prospect of tighter regulatory scrutiny over the financial sector in the coming times, it will be imperative that security teams seek external solutions that can support them in complying with the imposed measures, efficiently, and, above all, that can guarantee a greater degree of security for the organization.

The article above was first published in Portuguese in ECO Seguros