© Copyright Acquisition International 2024 - All Rights Reserved.

Article Image - The Digital Operational Resilience Act: What This Means for the Finance Sector and Its Legacy Technology
Posted 2nd November 2023

The Digital Operational Resilience Act: What This Means for the Finance Sector and Its Legacy Technology

The main objective of the Digital Operational Resilience Act (DORA) is to strengthen the IT security of financial entities such as banks, insurance companies and investment firms. The EU deems this necessary because of the growing risk of depending on Information and Communication Technology (ICT) related services that are increasingly vulnerable to disruptions and cyberattacks.

Mouse Scroll AnimationScroll to keep reading

Let us help promote your business to a wider following.

The Digital Operational Resilience Act: What This Means for the Finance Sector and Its Legacy Technology
IT Security

Third-party custom data and software providers can help mitigate risk and ensure compliance 

Gareth Mapp, CRO, Software Solved

The main objective of the Digital Operational Resilience Act (DORA) is to strengthen the IT security of financial entities such as banks, insurance companies and investment firms. The EU deems this necessary because of the growing risk of depending on Information and Communication Technology (ICT) related services that are increasingly vulnerable to disruptions and cyberattacks.  

It also ensures continuity of critical services so that incidents like the 2018 TSB fiasco cannot be repeated. TSB paid out £48 million to the Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) plus £33 million to compensate over five million customers when an IT migration left them locked out of their accounts. DORA addresses five topics aimed at enhancing the resilience of financial entities. These are: ICT risk management, ICT-related cyber incident reporting, digital operational resilience testing, ICT third-party risk management, and information sharing. 

 

What DORA means for the finance sector 

The regulations mean that financial entities will have to report major ICT-related incidents to the authorities within a specific timeframe. Organisations will also have to report the major ICT-related incidents to affected users and clients immediately. There will also be an obligation to record and keep documentation, archives and records for logging information and activities. In the case of DORA, financial entities are required to record all significant cyber threats, which will require an in-depth incident management capability to monitor, handle and resolve cyber incidents. This includes documenting and archiving the processes dependent on ICT third-party service providers and keeping a register of information on all contractual arrangements. 

 

Understanding supply chain threats 

Whilst risk management, incident reporting and resilience testing are all important elements for all organisations, the two pillars that stand-out is the acknowledgement of the threat from third-parties. Cyber-criminals target supply chains to hit organisations through the ‘back-door’; the relationship which ICT companies have with their clients means that key systems are connected.  

DORA raises the bar on how organisations collaborate with third-parties. This includes accountability over vendors, business partners or other third-parties such as software and cloud providers. In order to be compliant with DORA, financial institutions are responsible for governing the relationship with third-parties. 

DORA came into force at the beginning of 2023 and the regulatory and technical standards will be developed by the European Supervisory Authorities (ESA). They draw up warning and recommendations for risk mitigation in the financial sector across Europe and is affiliated with the European Central Bank. By next year, the ESAs will implement the standards and by the beginning of 2025 the DORA requirements will be enforceable with all financial companies expected to be compliant with the regulation by January 2025.  

 

DORA is unavoidable- so don’t wait to mitigate legacy system risk 

UK companies cannot avoid DORA; its reach basically extends to any enterprise offering ICT services that is considered critical to the supply chain supporting the European financial sector (regardless of whether that enterprise or service is based inside the EU). It is also highly likely that DORA will be made UK-specific law, so there is little point in waiting until this happens. 

DORA also stipulates that financial institutions will be required to conduct ICT risk assessments on legacy ICT systems on a regular basis. As technology progresses, support for older systems dwindles with developers and manufacturers prioritising newer systems, gradually making patches and updates scarce, if non-existent, for legacy ones. This absence of continual updates means vulnerabilities in older software and hardware remain unaddressed, making them prime targets for cyberattacks. 

Also, as employees who maintain legacy systems retire, younger employees are less likely to want or be offered training on legacy systems, creating a skills gap and a further cybersecurity risk. Modern cyber security tools often struggle to integrate with older systems. Legacy systems might lack the necessary functionalities to accommodate advanced security measures, leaving gaps in the defence framework. 

 

Third-party data and software providers can ensure compliance  

Even though 2025 seems a long way off, companies need to start working now to ensure that they are compliant in good time. Industries, especially those with entrenched infrastructures such as: banks, insurance companies and investment firms, cannot easily overhaul their systems without massive disruptions. So, the balance between maintaining legacy systems and transitioning to newer technology is a delicate dance. 

These institutions need to look to custom data and software specialists who can look at the detail of the regulations and establish how far reaching they are for your organisation. Then they can start to define the scope of the project within the context of the risks you are likely to come across as a business. Critical to being compliant to DORA regulations, custom software and data specialists will be able to ensure you have the right layers of technology in place to mitigate day-to-day operational risks. 

 

Don’t compromise operational resilience- put the right controls in now 

By putting in the right controls now you will save yourself time in the long run. Custom data and software specialists will be able to ensure you have no legacy systems that rely on less up-to-date technology and could compromise your operational resilience. Having the right technology in place will enhance the ability of your organisation to withstand and quickly recover from disruption should it occur. 

Whilst the enforcement of the regulation seems that it will be proactive, there is still some uncertainty about the penalties of not being compliant, the way that the regulation has been introduced points to some fairly hefty consequences. It has been suggested that a fine will be issued in perhaps equal to one day’s trading. There is, unlike some other regulations, also a criminal element with charges likely to be brought against companies and individuals who do not adhere to the regulation.  

There is no one-size-fits-all approach to being DORA compliant, but by turning to custom data and software specialists, financial institutions can ensure a clear ICT third-party risk management strategy is in place. Starting your DORA preparations now will ensure you are one step ahead.  

Categories: Finance, Legal, News


You Might Also Like
Read Full PostRead - Eye Icon
5 Resources to Help You Find a Knowledgeable Personal Injury Lawyer in Atlanta
Legal
13/05/20245 Resources to Help You Find a Knowledgeable Personal Injury Lawyer in Atlanta

After an incident, the aftermath entails stress and chaos. If involved in a car accident, for example, you’re already dealing with injuries, damage to your automobile, and intricacies involved.

Read Full PostRead - Eye Icon
Preventing Legal Hassles: Why Workers’ Compensation Insurance is Crucial for Businesses
Legal
07/08/2023Preventing Legal Hassles: Why Workers’ Compensation Insurance is Crucial for Businesses

When it comes to running a business, there are many factors to consider, including the well-being and safety of your employees.

Read Full PostRead - Eye Icon
Winners Directory 2017
Strategy
18/04/2017Winners Directory 2017

From leading advisors to legal experts, or innovative accountancy firms and renowned bankers.

Read Full PostRead - Eye Icon
Grant Thornton Advises Octopus Investment in Oxifree
Finance
06/08/2015Grant Thornton Advises Octopus Investment in Oxifree

Grant Thornton Advises Octopus Investment in Oxifree

Read Full PostRead - Eye Icon
UK Founded Tech Firm Acquires US Brand Integrity
Finance
19/07/2018UK Founded Tech Firm Acquires US Brand Integrity

UK-founded, global employee engagement company Reward Gateway announced today that it has acquired Brand Integrity, a 15-year-old employee engagement specialist operating from Rochester, N.Y.

Read Full PostRead - Eye Icon
AI at Work: It’s Here and It’s Working, Whether You Know It or Not
Innovation
01/11/2023AI at Work: It’s Here and It’s Working, Whether You Know It or Not

Don’t call it a takeover, AI’s been here for years. A new global study from HR, payroll, and workforce management software provider UKG reveals that many people use AI daily both at home and at work, and it’s already making millions of jobs easier — em

Read Full PostRead - Eye Icon
Resolution Insurance Majority Stake Acquisition
Finance
19/03/2015Resolution Insurance Majority Stake Acquisition

LeapFrog Investments, the private equity firm with a focus on Africa and Asia, said it will pay 1.68 billion shillings ($19 million) to gain control of Kenya’s Resolution Insurance and tap growth in health coverage.

Read Full PostRead - Eye Icon
How Smart Technology is Helping the Manufacturing Industry
Innovation
12/04/2021How Smart Technology is Helping the Manufacturing Industry

The secret to this progression is advances in technology. Not only has it allowed businesses to speed up production and increase efficiency it has brought greater profit margins too. In today’s market, it’s all about ‘smart technology’ or more accurate

Read Full PostRead - Eye Icon
The Surprising Secret to Improving Employee Engagement
Leadership
20/03/2019The Surprising Secret to Improving Employee Engagement

Eighteen years ago, the Gallup corporation did some research on a hot “new” topic - employee engagement - and reported some distressing numbers.



Our Trusted Brands

Acquisition International is a flagship brand of AI Global Media. AI Global Media is a B2B enterprise and are committed to creating engaging content allowing businesses to market their services to a larger global audience. We have 14 unique brands, each of which serves a specific industry or region. Each brand covers the latest news in its sector and publishes a digital magazine and newsletter which is read by a global audience.

Arrow