Even though the Digital Operational Resilience Act (DORA) has been announced some time ago (exactly on December 27, 2022), and all financial entities should be aware of the new regulations by now, many organizations have a long way ahead before they meet the requirements at a sufficient level of maturity. Why? As always, there is no one good answer, but we'll try to analyze the situation and most importantly - let you know how NATEK Team can support your business in this transformation. Find out how to adapt your operating model to DORA before January 17, 2025 (DORA's deadline).
Digital Operational Resilience Act
DORA is supposed to end legislative disparities of national supervisors’ approaches with regard to ICT risk and provide a set of principles that facilitate the overall structure of ICT risk management. The whole concept is based on the well-known security and ICT governance good practices, ideas and frameworks, framed in a risk management process, such as: enterprise architecture modeling, CMDB, BCP, incident management, red teaming, threat intelligence, EDR, third-party intelligence, SOC, cybersecurity forensic, attack surface management, vulnerability management, network segmentation, IAM, BIA, to name a few. Haven’t noticed them in your DORA copy? Sometimes you need to read between the lines. But in order to do that, you have to know what to look for. Sometimes deciding to hire an experienced Team of Analysts with a broad knowledge of cybersecurity frameworks that would be mapped to the existing GRC procedures, enterprise architecture and business processes models, might be the best solution. Find out more about NATEK ANALYTICS SERVICES!
DORA is focused on your business' security
The Digital Operational Resilience Act emphasizes the deployment of appropriate security tools and a more proactive approach to security itself. Tools are usually underrated in regulations, and so this new mindset can be beneficial in the long run. But to deal with new responsibilities and at the same time run your business effectively, financial entities must keep up to date with the latest security technologies/frameworks and be aware of problems related to proactivity (e.g. false positives).
The good thing is that DORA distinguishes requirements between those that cover ICT services supporting critical or important functions and those that do not. Thus, financial entities that achieved some maturity in IT governance can easily focus on what is important and needed. But what about the organizations that do not have the necessary experience in the matter? They need a qualified team of Service Delivery Managers, and they need it now, keeping in mind that the DORA deadline is only 7 months away. NATEK Team Experts are always developing their skills to better accommodate the ever-changing expectations of your business. Learn more ABOUT US.
DORA's influence on ICT risk management
DORA has one set of the requirements, whether it’s a cloud computing service or an IT service desk capability, which, unfortunately, can be problematic in many cases since not all the demands can be applied in the same way to every entity. Considering that most (if not all) functions in financial entities are supported by many different types of ICT services, the task to uphold all of them to the new standard gets a bit more complicated.
Why businesses need threat intelligence competences on board?
To visualize the complexity of DORA's regulations and their influence on everyday procedures at a financial organization, let's think of an example of red teaming. As one of the key elements of the resilience strategy, it is required to carry out such testing at least every 3 years. And each test should cover several or all critical functions of a financial entity. What's important is that the financial entity is the one that ensures the participation of ICT third-party service providers in the red teaming. And although DORA applies to ICT third-party service providers and red teaming providers are to be certified by the regulator, the financial organizations retain at all times full responsibility for ensuring compliance with the regulation. But there is no red teaming without threat intelligence, thus you might want to consider having a specialized Team on board at all times to avoid complications. Find out more about NATEK IT Solutions and our delivery models.
Moreover, in most (if not all) cases when using ICT services, one must consider the problem of subcontracting. Financial entities have to assess how potentially long or complex chains of subcontracting may impact their ability to fulfill the regulatory requirements. In this area, legislative disparities and uneven national regulatory approaches to outsourcing and cloud computing remain the same, with no noticeable changes in DORA. That said, cybersecurity experts and layers are a must-have in your Team, since they are the ones who understand the differences and relations between the previous and current regulations but look at them from different points of expertise and can apply them accordingly in your organization.
Digital Operational Resilience Act FAQ*
*It’s important to note that since the topic is quite complex, the approach should be adapted to each case.
1. What are the crucial elements of resilience testing?
According to AI Act, resilience testing should include “vulnerability assessments and scans, open source analyzes, network security assessments, gap analyzes, physical security reviews, questionnaires and scanning software solutions, source code reviews where feasible, scenario-based tests, compatibility testing, performance testing or end-to-end testing”. The scope is related to ICT tools and systems. Financial entities with high level of maturity in testing shouldn't have problems to map every item from this list to relevant activities.
2. Should financial entities consider having red teaming capability on their own?
Red teaming seems to be like an audit from the regulatory perspective. As with any external regulatory audit, we recommend a self-assessment before submitting to an external audit. Entities can provide red teaming themselves or through a trusted business partner. But either way, it is better to clean up the attack surface with your own capability as much as possible before undergoing a regulatory audit.
3. Should financial entities deal with threat intelligence on their own?
When using internal testers, financial entities must ensure that the threat intelligence provider is external to the financial entity. Financial entities cannot be efficient or effective at collecting, processing, and analyzing threat feeds that represent data on global threat actors and vulnerabilities for every technology they own. However, financial entities must provide context to filter out the vast number of feeds that would otherwise disable their Security Operations Center. It also has to make the informed strategic decisions based on the available reports. This is why it is recommended to have an internal threat intelligence capability.
4. Is backup and redundancy necessary for any ICT service just because it supports a critical or important function?
ICT services must be designed and used in full alignment with the BIA, in particular with regard to adequately ensuring the redundancy of all critical components. For the purpose of ensuring the restoration of ICT systems and data with minimum downtime, limited disruption and loss, financial entities must develop backup policies and procedures, based on the criticality of information. Entities must also approach backup and redundancy requirements carefully to avoid “over-compliance” and costs without added value. Backup and redundancy are related to data and ICT system components in the context of restoration, disruption and loss. And it is not related directly to the ICT service itself.
5. What is a Minimum Viable Product for a register of information in relation to all contractual arrangements on the use of ICT services provided by ICT third-party service providers?
A register of information in relation to all contractual arrangements on the use of ICT services is a mandatory part of the ICT risk management framework. The management body of the financial entity must regularly review the risks identified in respect to contractual arrangements on the use of ICT services supporting critical or important functions. To do this, the financial entities shall maintain and update the register at entity level, and at sub-consolidated and consolidated levels. ESA provides a hundred-page technical standard to establish the standard templates for the purposes of the register. Click here for details.
Be DORA ready!
Even though the process of accommodating to all DORA requirements might be demanding, it's worth to keep in mind this direct quote from the Act:"(…)as long as the main capabilities which financial entities put in place address the various functions in the ICT risk management, financial entities should remain free to use ICT risk management models that are differently framed or categorized." Therefore, it is better to use a business-oriented team with a full understanding of the sufficient approach and the agile philosophy - a team that is proficient in all areas regulated by DORA in relation to available technologies, frameworks and standards.
Do you already have a database of contracts with which you can monitor their compliance with DORA?' If you want to achieve ‘DORA ready’ status quickly and easily, consider a Managed Service approach with a team of System Analysts with cybersecurity experience. How to adapt your organization’s operating model to the DORA requirements, in the way that you stay effective and compliant at the same time? Show us your operating model and we will show you the way. Remember – the clock is ticking!
#workITwithNATEK
We wrote this article in collaboration with Robert Maciej Smoliński, Cloud and AI Governance & Compliance Analyst, who offers several years of dynamic experience in the functional and compliance areas of ICT in banking and property and life insurance environment.
