Everything EU & Swiss Companies Should Know About DORA (Digital Operational Resilience Act)

Introduction:

The EU is concerned with greater cyber resilience for the financial industry: the more IT technology becomes an essential business component for banks, insurer, and reinsurance, the more important cyber resilience and the ability to protect companies in the sector against threats from cyber criminals becomes. To safeguard the performance of financial institutions in critical scenarios and to create uniform regulations on reporting and liability, the companies need to better identify vulnerabilities in their technology and IT management, audit them, secure their systems, and eliminate weaknesses through appropriate protection and alarm mechanisms.

What is DORA?

The EU Commission's draft regulation Digital Operational Resilience Act (DORA) was published as an EU regulation and came into force on 16.01.2023. Financial companies now have 24 months to implement the requirements. The regulations will affect all regulated financial companies in the EU, which include banks and insurers, as well as investment firms, management companies, rating agencies, crypto asset providers trading platforms et al. An extra paragraph covers third-party IT service providers. As of proportionality, large banks or insurance companies must meet stronger requirements than smaller companies.

Threat Intelligence and Operational Resilience

The objectives of the DORA regulations can be summarized in five dimensions:

1. Management of cyber-risks

As strengthening digital operational security and resilience in the financial sector with a uniform supervisory framework is the goal of DORA, companies need to implement strategies and take actions around their IT systems and tools that minimize the impact of IT risks. This includes proactive measures like identifying, classifying and documenting cyber-critical functions and assets, continuously monitoring all sources of IT risks, in order to set up protection and prevention measures, establishing prompt detection of anomalous activities.

2. Strategy for digital business resilience and business continuity

Resilient IT systems and tools shall minimize the impact of IT risks and protection measures are to be put in place for systems, networks, and critical assets to prevent unauthorized access, theft, natural disasters, or environmental hazards. A comprehensive business continuity policy with contingency- and recovery plans as an integral part of a comprehensive IT risk management, must be established for that reason.

With DORA, the members of the board will have a personal obligation and liability to provide and monitor IT risk management and to set up mechanisms to learn and develop from both external and internal IT incidents.

3. Classification and immediate reporting of major IT-related incidents

An IT-related incident management obliges companies to respond promptly to IT incidents and breaches and to recover quickly from them. This needs suitable mechanisms to constantly detect anomalous activity, including network issues and IT-related incidents and a preassigned classification of sensitive and vulnerable data.

4. Continuous digital resiliency testing

With comprehensive testing, based on TLPT (Threat-Led Penetration Testing), organizations can verify the actual digital resilience of the company, which should be continuously assessed through audits and tests: Critical IT systems and applications must be tested at least once a year by independent internal or external auditors with simulation exercises, threat-oriented penetration tests, and so on.

5. Third-party security management

The potential risk brought in by service providers is extended by the obligation to control and ensure its security and liability (third party risk). This also affects cloud services, platform-as-a-service, or infrastructure-as-a-service.

DORA requires immediate reporting of cybersecurity incidents to the appropriate regulators and information sharing to minimize the spread of threats, and to support the financial industries overall defence capabilities and improve its threat detection techniques.

What NDR can do for DORA

A Network Detection and Response (NDR) solution as part of the DORA strategy addresses the challenges posed by DORA and ensures the mandatory security and resilience of the network and information systems, in terms of response actions, required by this law and to minimize the impact of the external risks.

ExeonTrace, a machine learning based NDR solution, offers several benefits for organizations to comply with DORA in providing comprehensive visibility into the network traffic. For instance, by helping financial organizations to identify potential threats and vulnerabilities before they can be exploited. By continuously monitoring network traffic, ExeonTrace can detect and alert organizations to suspicious activity, such as unauthorized access attempts or data exfiltration.

ExeonTrace enables organizations to respond quickly and effectively to potential threats by triggering incident response procedures. As an instant reporting is obligatory by DORA, this NDR solution helps companies to meet the reporting requirements by providing detailed logs and reports of network activity and incidents.

When a SIEM (Security Information and Event Management) is already in place to collect security events from various sources, an NDR solution is recommended too, to divide the confusing quantity of events and alarms into clear risk patterns and meaningful alarms.

The immediate and real-time reaction to cyber incidents in the network makes the NDR, especially with regards to reaction and prevention, a mandatory asset to ensure the DORA guidelines.

According to the DORA regulation, financial firms need to allocate "sufficient resources and capacity to monitor user activity, the occurrence of IT anomalies, and IT-related incidents, especially cyber-attacks". Network Detection and Response (NDR) solutions allow companies to lower their expenditures through reduced data usage, lower staffing requirements, immediate threat detection, improved operational efficiency, and scalable adaptability in managing cybersecurity.

With ExeonTrace, financial service providers can leverage their existing infrastructure without extra hardware investment, with the complete network log data analyzed, and all network activity made visible.

Summary:

Financial organizations need to establish a framework for effective and comprehensive management of cybersecurity and IT risks in financial markets and ensure the maintenance of resilient operations in the event of a business disruption. (New) topics such as threat intelligence and threat-led penetration are to be implemented and the dependencies between financial service providers and their service providers (3rd party risk management) e.g., of cloud service providers are to be audited and ensured, as well as the immediate reporting of all critical incidents to authorities. ExeonTrace solves major DORA requirements: logging, detection and response to cyber incidents in a safe and consistent manner and will be an important contributor for the DORA compliance.

To get your own personal tour of ExeonTrace or to speak to myself or one of our network security experts, click here.