When the Digital Operational Resilience Act (DORA) comes into effect in January 2025, it will impact 21 covered entities from investment firms to ICT third-party service providers. Is your firm ready? Now is the time to evaluate your preparedness and implement the necessary strategies to ensure compliance ahead of the deadline.
Unlike previous cybersecurity regulations, GDPR and other requirements, DORA will set a standard across the EU and go beyond cybersecurity risk management to address operational resilience. As disruptions like the ransomware attack on Ion Markets continue to hit the financial services sector, firms realize cybersecurity risk management and operational resilience are imperative to ensure they can quickly respond to any business disruption with minimum downtime.
Every firm should be familiar with DORA’s five pillars of resilience, understand how their cybersecurity and resilience programs measure up, and prepare now for necessary upgrades needed ahead of the deadline. Is your firm ready to meet these five pillars?
1. ICT Risk Management – Evaluating your written cybersecurity policies and identifying any gaps in the classification of critical functions, threat detection and disaster recovery plans. Firms can then create a framework that outlines strategies, policies and procedures to secure ICT assets and the offline infrastructure supporting them. This is not a one-time exercise – it should be continuously improved on the basis of lessons derived from implementation and monitoring.
2. ICT-related Incident Management – Assessing reporting ability and building out policies and processes to streamline tasks. Under DORA, firms must classify and log ICT incidents and identify major incidents as well as report incidents.
3. Digital Operational Resilience Testing – Conducting appropriate tests such as vulnerability assessments and scans, open source analyses, network security assessments, gap analyses, physical security reviews, questionnaires and scanning software solutions, source code reviews where feasible, scenario-based tests, compatibility testing, performance testing, end-to-end testing and penetration testing to satisfy compliance requirements ahead of the deadline. To remain compliant, you’ll need to ensure tests are undertaken by independent parties, whether internal or external and be able to identify and mitigate risks and perform Threat–Led Penetration Testing (TLPT) for services that impact critical functions.
4. ICT Third-Party Risk Management – Ensuring that internal and third-party systems are secure. Now is the time to begin engaging with your third parties to identify risk management practices in place and strengthen operational resilience.
5. Information Sharing – DORA promotes information sharing across financial entities and regulatory authorities. But there’s no need to wait for the deadline. Businesses can begin to share critical information on threats and vulnerabilities with their peers today through membership with organizations including FS-ISAC and CiSP or directly through Drawbridge.
DORA is the latest in ongoing efforts by regulators to ensure firms that service financial markets have the right defenses to mitigate cyber-attacks and ensure business resilience. To meet and exceed the five pillars of DORA, firms must work with a partner that uniquely understands the intricacies of the financial markets and how operational resilience and cybersecurity intersect. With the right partner and internal controls in place, firms can ensure their business is prepared to navigate unforeseen business disruptions and can keep themselves and the wider industry safe from future turbulence.
To learn more about what your firm can do today to ensure compliance before the DORA deadline, reach out to the Drawbridge experts. DORA will require significant due diligence – is your firm’s operational resilience program ready?