By: Pravin Vijay, Senior financial services solutions engineer at Zayo Europe
The financial services industry has long been a prime and lucrative target for hackers. While their objectives may vary, there is the opportunity for financial gain through extortion, operational disruption, market manipulation and the theft of sensitive personal data. Some cybercriminals may be motivated by the turmoil created when individuals cannot access their finances.
Our data highlights the huge scale of the threat, revealing that financial services organisations experienced a 93% increase in DDoS attacks from Q1 to Q4 last year. These attacks have not just become more frequent, either. The average duration of an attack against a financial services organisation reached almost 40 minutes, approximately twice the length of those against retailers.
Building a robust defence
In response to the escalating threat landscape, the EU announced the Digital Operational Resilience Act (DORA). This framework aims to strengthen the cybersecurity of financial entities, including banks, investment firms, fintechs and insurance companies. DORA represents a collaborative effort between the European Banking Authority, European Securities and Markets Authority & European Insurance and Occupational Pensions Authority, which gives it a vast remit and wide-ranging enforcement capabilities.
DORA specifically targets the security and resilience of digital operations across the sector, extending Its reach to third-party technology service providers within the industry. This act marks a pivotal shift in approach in the financial sector, where operational resilience becomes the priority.
EU-based organisations have until January 2025 to comply, but UK firms should also pay attention, as the UK is currently working on its own version of DORA. Once both versions of the legislation are in effect, any UK technology companies serving financial customers in the EU will need to adhere to both regulatory regimes concurrently
To meet the EU’s DORA requirements, firms must implement a comprehensive framework addressing five key pillars; ICT risk management, incident reporting, digital operational resilience testing, third-party risk management, and information sharing. This involves developing strategies for prevention, response, and recovery; and ensuring proper management and staff education.
DORA packs a punch
The European Supervisory Authorities (ESAs) are tasked with enforcing stringent financial penalties to ensure digital operational resilience within the industry. They have supervisory and investigatory powers, including the ability to issue notices of administrative penalties. To meet DORA’s new standards, critical service providers must establish an EU subsidiary within 12 months of designation.
The consequences of non-compliance are significant. Financial institutions risk fines of up to 2% of annual global turnover or up to1% of daily global turnover. Individuals and companies could be fined up to €1.000.000. For critical third-party ICT service providers, the stakes are even higher – fines may increase to €5.000.000 or €500.000 for individuals.
However, even if policymakers and regulators adhere to all rules and recommendations, the industry’s reliance on technology and its exposure to human failures remains unchanged. Consequently, regulators must also strengthen in-house tech expertise, depoliticise cybersecurity in a borderless world, and leverage new technologies.
Establishing strong foundations
Before implementing the measures stipulated in DORA, it’s crucial for firms to build a solid foundation. To ensure compliance with the various elements of this new legislation, organisations need an agile network infrastructure that serves as the backbone for connectivity and security measures.
Legacy or dated technologies at any point in an organisation’s network infrastructure could now pose compliance challenges. Once both regulatory environments are operating simultaneously, it will be vital for organisations of all sizes to eliminate any weak points in their network. Without this strong and flexible infrastructure, achieving effective security and compliance will become virtually impossible.
Oversight issues can arise from having an excess of vendors, tools, or links in the chain, any of which can cause an organisation to fall foul of DORA. As the industry intensifies its preparations for DORA’s implementation in January 2025, many are prioritising the essential first step of ensuring their network foundations are robust, adaptable and future-proofed.
