Table of Contents
Cyber-attacks are the order of the day. Organizations operating in sectors as complex and relevant as energy, water, or finance should not ask themselves if an attack is going to happen, but rather «am I prepared to deal with it successfully?».
The CIO of one of Spain’s leading financial institutions summed up the question categorically: the security of money is non-negotiable. People and businesses invest a great deal of effort, time, and talent in making money. This is the fruit of our labor, but also an asset that gives us certainty. If a company jeopardizes it, confidence in it will be shaken for years to come.
Trust is precisely one of those intangible assets that are part of the core of a successful company. And one that we often don’t pay attention to. While trust is important in any economic sector, for the banking business it is, directly, vital. A matter of life and death.
That is why the future DORA regulation, on the digital operational resilience of the financial sector, seeks to safeguard the public’s trust in this type of entity. This regulation is in the final stages of approval, following the agreement reached by the Council and the European Parliament. Its ultimate aim is to ensure that the answer to the question «Can EU financial institutions withstand a cyberattack?» is a categorical «yes».
1. ICT risk management: prevent, resist… and recover
When we think of an attack on a financial institution, it is quite plausible that our minds are filled with images of robbers hijacking a bank branch or bursting a security camera and extracting gold bars. But the truth is that today, the financial sector is fully digitized and it is more plausible that the bad guys will manifest themselves through cyber-attacks than with socks on their heads.
For this reason, the management of ICT-related risks is a matter of vital importance and strategic value for any financial institution. Hence, the future DORA regulation puts the spotlight on the role to be played by the boards of directors of financial institutions in the securitization of their assets. These bodies will have to:
- Establish the appropriate risk tolerance level for the entity.
- Approve and periodically review business continuity plans, disaster recovery plans, and ICT security audit plans.
- Oversee agreements with ICT service providers.
- Be informed periodically of incidents that occur.
1.1. ICT risk management framework: from identification to recovery
Financial institutions must have a complete and robust ICT risk management framework that includes all the procedures and actions to be carried out in this area. This framework should cover the four fundamental areas of ICT risk management:
- Identification. Entities need to identify accurately and in detail all their ICT-related business functions and the information assets that support these functions. In addition, they should continuously identify the main sources of ICT risks and identify processes that rely on third-party providers.
- Protection and prevention. Entities will have to design and implement ICT security strategies, procedures, and tools to ensure the resilience and availability of systems, business continuity, and data protection.
- Detection. Organizations will have to have mechanisms in place to facilitate the rapid detection of anomalous ICT-related activities.
- Response and recovery. This area is of paramount importance in the DORA regulation. In such a way that this regulation will establish the duty to:
- Record all incidents.
- Ensure business continuity.
- Respond quickly and effectively to incidents.
- Implement containment plans.
- Estimate damages and losses.
- Implement communication and crisis management plans.
- Design and implement a disaster recovery plan.
To this end, financial institutions should test their business continuity policy and recovery plan at least once a year.
The entire framework should be analyzed by ICT auditors periodically, depending on the characteristics of each entity, its subsector, and the risks it faces.
1.2. Reducing recovery times
The DORA regulation focuses particularly on recovery from attacks on ICT infrastructures. It, therefore, makes it a priority to restore ICT systems after an incident with minimum downtime and limited disruption. To this end, financial institutions must have
- A precise backup policy, making explicit the scope of the data to be backed up and the frequency with which it is backed up, depending on the relevance and sensitivity of the information.
- Recovery methods.
In addition, the regulation specifies a series of specific actions that backup systems must comply with, stressing the importance of recovering functions.
Finally, the ability of financial institutions to learn and evolve will also be emphasized, based on the review of incidents, but also on the digital operational resilience tests that we will discuss later.
2. Notification of serious incidents
In addition to ICT risk management, DORA requires financial institutions to report serious ICT-related incidents. They must therefore send the competent authorities three different notifications:
- An initial notification before the end of the business day on which the incident occurred.
- An interim report, to be sent within one week of the first notification.
- A final report, due no later than one month after the first notification. This document must contain an analysis of the cause and the actual figures of the incident.
In order to facilitate this work, the DORA regulation harmonizes the reporting templates, setting out precisely the content of the information to be submitted.
The aim of this information effort required of entities is to increase the information available to the competent authorities on ICT vulnerabilities and risks. In order to increase the prevention and response capacity of both institutions and the financial sector itself.
Likewise, The DORA regulation also aims to create a single EU center to centralize all information related to serious ICT incidents. Although this measure is not provided for in the articles, the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), and the European Securities and Markets Authority (ESMA) are entrusted with studying its feasibility, in consultation with the European Central Bank (ECB) and the European Union Agency for Cybersecurity (ENISA). The centralization of the collection of information would complete the harmonization of regulations and the content of notifications.
3. Digital Operational Resilience Testing
The third key point of the DORA regulation, as regards the financial institutions that will be covered by it once it comes into force, revolves around the obligation to perform digital operational resilience tests.
The purpose of these tests is to check the state of preparedness of financial institutions’ systems in the event of ICT-related incidents. In order to detect vulnerabilities and take immediate action to remedy them. The testing program must be part of the ICT risk management framework. And organizations will be obliged to:
- Take into account the constant changes that occur in the field of ICT risks.
- Ensure that testing is performed by independent parties, whether internal or external to the organization.
- Have clear policies for prioritizing, classifying, and resolving vulnerabilities detected during testing.
- Test all critical ICT systems and applications at least once a year.
The DORA regulation contemplates two different types of testing: basic and advanced. The former range from vulnerability assessments to end-to-end testing and penetration testing. The latter, which are more complex and ambitious, will have to be performed at least every three years.
3.1. Threat-Led-Penetration Testing
Although this type of testing is not an innovation of DORA, the new regulation deepens its implementation throughout the EU and in a large part of the financial sector entities.
Therefore, threat-guided penetration testing must cover, as a minimum, all critical functions and services of the institution, and its scope must be defined by the institution, but validated by the competent authority. ICT service providers should also be included in such tests. The risks associated with the tests must be scrupulously controlled and the tests must be carried out by external testers.
Although DORA does not establish precisely which financial institutions will have to carry out these advanced tests, it delegates this task to the competent authorities (EBA, ESMA, and EIOPA), which, after consulting the ECB, will have to take it into account:
- The essential nature of the services and activities of each financial institution.
- Systemic nature of the institution, both at the national and EU level.
- Specific ICT risk profile of each organization, as well as its ICT maturity level and technological characteristics.
However, prior to the entry into force of DORA, draft technical standards will be developed to regulate these tests more precisely: specifying their scope, the methodology to be used in each phase, and how the results are to be analyzed and action is taken accordingly to remedy the problems detected.
3.2. DORA and TIBER-EU: fortifying the financial sector
As mentioned above, this type of advanced testing is not new. The ECB had previously launched the TIBER-EU project: a common framework for implementing ethical red team services based on threat intelligence. The aim of this program is to help financial institutions and cybersecurity companies define the tests to be performed, focusing on two phases:
- Cyberintelligence. In order to identify malicious actors, their intentions, and ways of operating.
- Red Team. Execute cyber-attacks to measure their effectiveness and the ability of financial institutions to withstand them.
Although the TIBER-EU tests are voluntary, once they are successfully passed, the financial entity receives approval that certifies the fortification of its systems and assets against attacks.
That is why many institutions are trying to obtain this certification, relying on the services of cybersecurity companies such as Tarlogic Security, which has extensive knowledge and proven experience in Red Team and cyberintelligence services. That’s why José Lancharro, director of BlackArrow, Tarlogic’s offensive and defensive services division, says that the company is currently working «with a TIBER scheme in a project we are carrying out for financial institutions».
In view of the above, the DORA regulation extends the implementation of guided penetration testing, based on real and specific threats, to a large part of the EU financial sector. In order to help financial institutions to be prepared to resist cyber-attacks, increasing the protection of the European economy and citizens.
3.3. Requirements to be met by testators
Although it is the financial institutions that must undergo these tests, who should perform them?
Methodologies and activities of such importance for financial institutions and of great technical complexity must be carried out by cybersecurity experts with extensive knowledge in this field.
Consequently, the DORA regulation establishes the requirements to be met by the testators:
- Suitability and prestige.
- Specific technical and organizational capabilities in threat intelligence, pentesting, and Red Team services.
- Accreditation from an official EU member state certification body or adherence to official ethical frameworks.
Nonetheless, if the cybersecurity professionals performing the tests are external to the company, they must have an audit that certifies the optimal management of the risks associated with the execution of pentesting, paying special attention to the protection of confidential information and measures to counteract the operational risks of the tests. Likewise, the treatment of the results obtained during threat-guided penetration tests must be scrupulous and avoid risks for the financial institution. Finally, these testers must have professional liability insurance, covering the risks of misconduct and negligence.
Tarlogic Security has extensive experience in the provision of cybersecurity services, design, implementation, and analysis of pentesting and Red Team services. Over the years, it has also worked with various financial sector entities to help them combat cyber-attacks, reduce ICT risks and remedy possible vulnerabilities in their systems.
4. Which financial institutions will be affected by DORA regulation?
Throughout this article, we have referred globally to the organizations that make up the European financial sector, but which entities exactly are we referring to?
Well, DORA will be mandatory for practically all the players in the sector:
- Credit institutions, payment institutions, electronic money institutions, and central counterparties.
- Investment services companies.
- Crypto-asset service providers.
- Central securities depositories.
- Trading venues.
- Trade repositories.
- Alternative investment fund managers.
- Management companies.
- Providers of data supply services.
- Insurance and reinsurance companies, as well as intermediaries in these areas.
- Retirement pension funds.
- Credit rating agencies.
- Critical benchmark index administrators.
- Providers of equity financing services.
- Securitization registries.
- Third-party ICT service providers.
Although they were initially included in the regulation, following the agreement reached by the Council and the Parliament, auditors will not initially be subject to DORA. However, they will be included in a future revision of the regulation.
Besides, another aspect to be highlighted is the inclusion of third-party ICT service providers since this measure is one of the major new features of the regulation.
4.1 Proportional requirements
It’s also important to point out that the regulations established by DORA will be applied proportionally to the different entities affected, taking into account their size and complexity, as well as the subsector to which they belong, their relevance to the socioeconomic system or their degree of technological maturity.
Thus, as noted above, digital operational resilience tests will be more demanding for the most significant organizations, such as large credit institutions or stock exchanges.
Likewise, tests in subsectors of vital importance to EU economies such as banking will be more complex than in less relevant subsectors or those whose systemic nature is less pronounced.
5. Putting the focus beyond the sector: ICT suppliers
First of all, we must clarify what the DORA regulation refers to when it talks about ICT providers. According to the definition of the future regulation, they are companies that offer digital and data services, such as cloud services, software and analytics, and data centers.
These types of companies, which are vital to the day-to-day operations of financial institutions, must also be able to withstand and recover from cyberattacks. It is of no use for the internal systems of financial organizations to be secure if those of their ICT providers are not.
DORA, therefore, starts from the general principle that vendor-related risks must be integrated into the ICT risk management framework of each financial institution. As a result, financial institutions will have to constantly monitor their security arrangements with their suppliers.
But the regulation goes further by empowering the competent authorities to supervise these suppliers. Thus, a particular ICT provider may be identified as critical, depending on the financial institutions that depend on its services. Critical providers will be supervised by one of the competent authorities (EBA, EIOPA, and ESMA).
The latter may request information and conduct general inquiries and on-site inspections. In case of non-compliance, the authorities may impose coercive fines on suppliers daily. Such fines will be equal to 1% of the supplier’s average daily worldwide turnover in the previous fiscal year.
In addition, essential or critical ICT suppliers from non-EU countries must establish a subsidiary in the EU, to facilitate that the monitoring tasks can be carried out as normal.
6. DORA and NIS2: a new regulatory framework in the making
The DORA regulation is not the only initiative that has been launched within the EU in recent times. In addition to the aforementioned TIBER-EU program, in parallel to the adoption of DORA, the Union is in the process of reforming the NIS directive, giving birth to NIS2.
Thus, NIS2 and DORA will lay the foundations for a common European regulatory framework for all countries, focused on fortifying and protecting strategic sectors (NIS2) and, in particular, the financial sector (DORA), against cyber-attacks and risks related to new technologies.
The existence of both standards will not create confusion when it comes to financial institutions knowing precisely what their obligations are in terms of cybersecurity. Rather, they will have at their disposal all the regulations that concern them, with the principle of lex specialis taking precedence in the relationship between the two provisions.
In general terms, we can point out that the future DORA regulation will contribute to helping financial institutions to resist cyber-attacks by enhancing:
- The creation of ICT risk management frameworks in which not only prevention, identification, and resistance to attacks are valued, but also recovery tasks are especially enhanced, to ensure business continuity and that the European socio-economic system is not affected.
- More and better communication between entities and authorities regarding serious incidents.
- Cyber-intelligence and Red Team services to identify threats and test entities’ systems.
- The supervision of ICT providers, given their relevance in the operation of the financial sector, especially because of the leap to the cloud.
This article is part of a series of articles about TIBER-EU
- TIBER-EU, time to close the cybersecurity overdraft
- TIBER-EU calls on cyber intelligence to arm banks
- Red Team, the soldiers of the TIBER-EU program
- DORA Regulation: Can your bank withstand a cyber-attack?
- NIS2: Strengthening the cybersecurity of the EU’s strategic sectors