Banks are not complying with the EU’s DORA cyber law as it comes into force
New regulations are forcing organizations to take cyber security more seriously.
Sean Gladwell | Moment | Getty Images
Tough new European Union rules requiring banks to strengthen their cyber security systems officially come into force on Friday – but many of the bloc’s financial services firms are still not fully compliant.
of the EU Digital Operational Resilience Actor DORA, requires both financial services firms and their technology suppliers to harden their IT systems to ensure the industry is resilient in the event of a cyber attack or any other form of disruption. It entered into force on January 17.
Penalties for violating the new legislation can be significant. Financial services companies that fail to comply with the new rules could face fines of up to 2% of annual global revenue. Individual managers can also be held liable for violations and face fines of up to 1 million euros ($1 million).
So far, the compliance rate among financial services firms with the new rules has been mixed, according to Harvey Jang, senior director of privacy and deputy general counsel at IT giant Cisco.
“I think we’ve seen a mixed bag,” Jang said in an interview with CNBC. “Certainly, more mature companies will look at it for at least a year – if not more.”
“We’re really trying to build that compliance program, but it’s very complicated. I think that’s a problem. We’ve seen it with GDPR and other broad legislation that’s subject to interpretation — what does it actually mean to comply? It means different things to different people,” he said. .
Jang added that the lack of a common understanding of what qualifies as robust compliance with DORA has, in turn, led many institutions to raise their security standards to levels that actually exceed the “baseline” expected of most firms.
Are financial institutions ready?
Under DORA, financial firms will be required to take measures for strict IT risk and incident management, classification and reporting, operational continuity testing, cyber threat and vulnerability intelligence sharing and third party risk management.
Firms will also be required to conduct a “concentration risk” assessment of outsourcing critical or important operational functions.
A A general census survey of 200 UK chief information security officers commissioned by Orange CyberdefenseThe cybersecurity division of a French telecommunications firm OrangeIt showed that 43% of financial institutions in Britain are still not fully compliant with DORA.
This is a concern because although the UK is currently outside the European Union, DORA applies to all financial institutions operating in EU jurisdictions – even if they are outside the bloc.
“While it is clear that DORA has no legal nexus in the UK, entities based here and operating in or providing services to the EU will be subject to the regulation,” Richard Lindsay, senior advisory consultant at Orange Cyberdefense, told CNBC.
He added that for many financial institutions, a key challenge to achieving DORA compliance is managing their critical third-party IT providers.
“Financial institutions operate within a multi-layered and highly complex digital ecosystem,” Lindsay said. “Monitoring and ensuring that all parts of this system clearly comply with the relevant elements of DORA will require new ways of thinking, solutions and resources.”
Because of DORA’s strict requirements, banks are also adding higher levels of scrutiny in contract negotiations with technology vendors, Jang said.
Cisco’s chief privacy officer told CNBC that he thinks there is alignment when it comes to the principles and spirit of the law. However, he added, “any legislation is a product of compromise, and so the more prescriptive they become, the more difficult it becomes.”
“The principles we agree on, but any legislation is a product of compromise, and the more prescriptive they become, the more difficult it becomes.”
Still, despite the challenges, the broad expectation among experts is that it won’t be long before banks and other financial institutions achieve compliance.
“Banks in Europe already follow significant regulations covering most of the areas covered by DORA,” Fabio Colombo, EMEA head of financial services security at Accenture, told CNBC.
“As a result, financial services institutions now have mature governance and compliance capabilities, existing incident reporting processes and robust ICT risk frameworks.”
Risks for IT suppliers
IT providers can also be fined under DORA. The rules threaten levies of up to 1% of average daily earnings worldwide for up to six months.
“These sanctions are necessary,” Brian Fox, chief technology officer at software supply chain management firm Sonatype, told CNBC. “They are a powerful motivator, pushing leaders to take compliance and operational continuity more seriously than ever.”
Orange Cyberdefense’s Lindsay said the risk of financial services firms moving critical security functions and services in-house is longer.
“Advances in technology can allow financial institutions to bring services in-house, simplifying this aspect and reducing the risk of non-compliance,” he said.
“In either case, existing contracts need to be updated to ensure compliance is contractual and monitored between the organization and the provider,” Lindsay said.
Meanwhile, there are a number of other cybersecurity-focused regulations that organizations must agree to, such as Network and Information Security Directive 2 or NIS 2and the Cyber ​​Resilience Act. The former entered enters into force in October.
“As with any new regulation, there will certainly be a transition period as organizations adapt to the new requirements and standards,” Sonatype’s Fox told CNBC. “This is the beginning of a long journey to improve software security and stability.”
English