© Copyright Acquisition International 2024 - All Rights Reserved.

Article Image - The Digital Operational Resilience Act: What This Means for the Finance Sector and Its Legacy Technology
Posted 2nd November 2023

The Digital Operational Resilience Act: What This Means for the Finance Sector and Its Legacy Technology

The main objective of the Digital Operational Resilience Act (DORA) is to strengthen the IT security of financial entities such as banks, insurance companies and investment firms. The EU deems this necessary because of the growing risk of depending on Information and Communication Technology (ICT) related services that are increasingly vulnerable to disruptions and cyberattacks.

Mouse Scroll AnimationScroll to keep reading

Let us help promote your business to a wider following.

The Digital Operational Resilience Act: What This Means for the Finance Sector and Its Legacy Technology
IT Security

Third-party custom data and software providers can help mitigate risk and ensure compliance 

Gareth Mapp, CRO, Software Solved

The main objective of the Digital Operational Resilience Act (DORA) is to strengthen the IT security of financial entities such as banks, insurance companies and investment firms. The EU deems this necessary because of the growing risk of depending on Information and Communication Technology (ICT) related services that are increasingly vulnerable to disruptions and cyberattacks.  

It also ensures continuity of critical services so that incidents like the 2018 TSB fiasco cannot be repeated. TSB paid out £48 million to the Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) plus £33 million to compensate over five million customers when an IT migration left them locked out of their accounts. DORA addresses five topics aimed at enhancing the resilience of financial entities. These are: ICT risk management, ICT-related cyber incident reporting, digital operational resilience testing, ICT third-party risk management, and information sharing. 

 

What DORA means for the finance sector 

The regulations mean that financial entities will have to report major ICT-related incidents to the authorities within a specific timeframe. Organisations will also have to report the major ICT-related incidents to affected users and clients immediately. There will also be an obligation to record and keep documentation, archives and records for logging information and activities. In the case of DORA, financial entities are required to record all significant cyber threats, which will require an in-depth incident management capability to monitor, handle and resolve cyber incidents. This includes documenting and archiving the processes dependent on ICT third-party service providers and keeping a register of information on all contractual arrangements. 

 

Understanding supply chain threats 

Whilst risk management, incident reporting and resilience testing are all important elements for all organisations, the two pillars that stand-out is the acknowledgement of the threat from third-parties. Cyber-criminals target supply chains to hit organisations through the ‘back-door’; the relationship which ICT companies have with their clients means that key systems are connected.  

DORA raises the bar on how organisations collaborate with third-parties. This includes accountability over vendors, business partners or other third-parties such as software and cloud providers. In order to be compliant with DORA, financial institutions are responsible for governing the relationship with third-parties. 

DORA came into force at the beginning of 2023 and the regulatory and technical standards will be developed by the European Supervisory Authorities (ESA). They draw up warning and recommendations for risk mitigation in the financial sector across Europe and is affiliated with the European Central Bank. By next year, the ESAs will implement the standards and by the beginning of 2025 the DORA requirements will be enforceable with all financial companies expected to be compliant with the regulation by January 2025.  

 

DORA is unavoidable- so don’t wait to mitigate legacy system risk 

UK companies cannot avoid DORA; its reach basically extends to any enterprise offering ICT services that is considered critical to the supply chain supporting the European financial sector (regardless of whether that enterprise or service is based inside the EU). It is also highly likely that DORA will be made UK-specific law, so there is little point in waiting until this happens. 

DORA also stipulates that financial institutions will be required to conduct ICT risk assessments on legacy ICT systems on a regular basis. As technology progresses, support for older systems dwindles with developers and manufacturers prioritising newer systems, gradually making patches and updates scarce, if non-existent, for legacy ones. This absence of continual updates means vulnerabilities in older software and hardware remain unaddressed, making them prime targets for cyberattacks. 

Also, as employees who maintain legacy systems retire, younger employees are less likely to want or be offered training on legacy systems, creating a skills gap and a further cybersecurity risk. Modern cyber security tools often struggle to integrate with older systems. Legacy systems might lack the necessary functionalities to accommodate advanced security measures, leaving gaps in the defence framework. 

 

Third-party data and software providers can ensure compliance  

Even though 2025 seems a long way off, companies need to start working now to ensure that they are compliant in good time. Industries, especially those with entrenched infrastructures such as: banks, insurance companies and investment firms, cannot easily overhaul their systems without massive disruptions. So, the balance between maintaining legacy systems and transitioning to newer technology is a delicate dance. 

These institutions need to look to custom data and software specialists who can look at the detail of the regulations and establish how far reaching they are for your organisation. Then they can start to define the scope of the project within the context of the risks you are likely to come across as a business. Critical to being compliant to DORA regulations, custom software and data specialists will be able to ensure you have the right layers of technology in place to mitigate day-to-day operational risks. 

 

Don’t compromise operational resilience- put the right controls in now 

By putting in the right controls now you will save yourself time in the long run. Custom data and software specialists will be able to ensure you have no legacy systems that rely on less up-to-date technology and could compromise your operational resilience. Having the right technology in place will enhance the ability of your organisation to withstand and quickly recover from disruption should it occur. 

Whilst the enforcement of the regulation seems that it will be proactive, there is still some uncertainty about the penalties of not being compliant, the way that the regulation has been introduced points to some fairly hefty consequences. It has been suggested that a fine will be issued in perhaps equal to one day’s trading. There is, unlike some other regulations, also a criminal element with charges likely to be brought against companies and individuals who do not adhere to the regulation.  

There is no one-size-fits-all approach to being DORA compliant, but by turning to custom data and software specialists, financial institutions can ensure a clear ICT third-party risk management strategy is in place. Starting your DORA preparations now will ensure you are one step ahead.  

Categories: Finance, Legal, News


You Might Also Like
Read Full PostRead - Eye Icon
Global Action Camera Market Experiencing Rapid Growth
Innovation
26/02/2015Global Action Camera Market Experiencing Rapid Growth

New report expects the Global Action Camera market to grow at a CAGR of 22.2% over the period 2014-2019.

Read Full PostRead - Eye Icon
In Debt for the First Time – How Your Business Needs to Treat the New Wave of Debtors
Finance
09/12/2022In Debt for the First Time – How Your Business Needs to Treat the New Wave of Debtors

As interest rates are hiked by ratios not seen in decades, the fallout from slowing economies across the world is likely to hit middle income earners as much, or more, as those on lower incomes. While those at the poorest ends of society are well-versed in bei

Read Full PostRead - Eye Icon
Technology Aftermarket Support Secures Success
Innovation
23/03/2020Technology Aftermarket Support Secures Success

Technical services and aftermarket support have become an increasingly important battleground for technology manufacturers as the expectations of consumers and end-users continue to rise. Rising to meet them is Qcom, a support partner which delivers these serv

Read Full PostRead - Eye Icon
Five Types of Security Your Business Office or Warehouse Needs Today
News
01/06/2022Five Types of Security Your Business Office or Warehouse Needs Today

Increasingly, safety in the workplace has become a priority for many business owners.  Ensuring workers are safeguarded from on-the-job hazards is simply a good practice to have in place.  It can protect your business from litigious consequences and helps yo

Read Full PostRead - Eye Icon
MUFG Investor Services to Acquire Capital Analytics from Neuberger Berman
Finance
04/02/2016MUFG Investor Services to Acquire Capital Analytics from Neuberger Berman

MUFG Investor Services, the global asset servicing group of Mitsubishi UFJ Financial Group, has reached an agreement with Neuberger Berman, one of the world’s leading private, employee-owned investment managers, to acquire its private equity fund administrat

Read Full PostRead - Eye Icon
Maximising Value from the Cloud: The Role of Cloud Consulting Services
Strategy
11/01/2024Maximising Value from the Cloud: The Role of Cloud Consulting Services

In the era of digital transformation, cloud computing has become a cornerstone for modern businesses. It offers scalability, flexibility, and cost-effectiveness, transforming how organisations operate and compete.

Read Full PostRead - Eye Icon
Striving for Excellence in Banking
Finance
28/06/2017Striving for Excellence in Banking

Ben is a commercially astute banking executive with an outstanding PanAfrican track record of success in developing profitable business functions and turning around poorly performing ones. Following his success in the Manager of the Year – Kenya award, as pa

Read Full PostRead - Eye Icon
How Are Assets and Investments Divided After a Divorce?
Legal
25/05/2023How Are Assets and Investments Divided After a Divorce?

Going through a divorce can be one of the most challenging experiences in life, and sorting out financial matters can make it even more complicated.

Read Full PostRead - Eye Icon
Dell to Acquire EMC in Biggest Tech Deal of All Time
M&A
16/10/2015Dell to Acquire EMC in Biggest Tech Deal of All Time

Dell has agreed to acquire EMC for $67 billion or £33.15 a share, by far the biggest technology deal of all time.



Our Trusted Brands

Acquisition International is a flagship brand of AI Global Media. AI Global Media is a B2B enterprise and are committed to creating engaging content allowing businesses to market their services to a larger global audience. We have 14 unique brands, each of which serves a specific industry or region. Each brand covers the latest news in its sector and publishes a digital magazine and newsletter which is read by a global audience.

Arrow