Mark Nutt, Senior Vice President, International Sales at Veritas Technologies
Data has never been more crucial or provided a greater opportunity for companies in the financial services sector than it does right now. Effective use of data can lead to higher profits, better productivity, and improved customer service. However, when timely and reliable access to this data is compromised, deliberately or not, the negative reputational and business impact can be catastrophic. We have seen this recently with the CrowdStrike global IT outage impacting many industries around the world.
Whilst data is valuable, it is also vulnerable. It’s an attractive target for cybercriminals looking to blackmail financial services firms out of fear for their data. Indeed, according to a report from cybersecurity firm Sophos, ransomware attacks have impacted three out of five financial services businesses (64%) in the last year. These businesses handle a staggering quantity of private and sensitive data; therefore, the potential damage from an attack is a high-risk situation.
The sensitivities around data in the financial services sector means that new regulations are being regularly introduced to help reduce the risks and business impact. Compliance with new legislation is a key requirement of any industry, but particularly crucial when it comes to keeping data secure.
A landscape rife with legislation
A paradigm shift towards more proactive risk management is clear throughout Europe with the recent introduction of numerous new directives designed to protect digital and vital infrastructure, and thereby user data. They include the Digital Operational Resiliency Act (DORA), the CER (Critical Entities Resiliency), and NIS2 (Network and Information Services version 2) and are designed for increased cyber resilience with penalties imposed for noncompliance.
DORA, as one of the newest EU regulations, has become the subject of much attention in recent months. It came into force in January 2023 with a goal to strengthen cyber resilience for the financial market. With all financial institutions – including banks, insurance companies, payment and credit organisations, and service providers – expected to be compliant by January next year, the clock is very much ticking to implement the necessary tools and processes.
The goal of DORA is to increase the resilience of the financial services industry’s growing internationally interconnected digital infrastructures. Businesses must concentrate on developing a digital resilience strategy and digital resilience framework. In fact, the term “recover” appears 60 times throughout the regulation’s 64 articles. Therefore, the significance of efficient backup solutions for DORA compliance cannot be overstated.
For organisations in the financial services sector the planning process for DORA’s implementation should already be well underway. To those who are falling behind, however, it’s essential to get an internal DORA compliance process started at once. Scoping, GAP-analysis, process validation, and reporting validation must be part of this.
The importance of visibility in reporting
Financial services organisations require a thorough response strategy that is routinely tested, practiced, and shared with all relevant parties. Only then will they be ready and prepared for the unexpected and able to move swiftly, guaranteeing business continuity.
NIS2 for instance requires specific incident reporting and communications provisions. It also emphasises the importance of certified secure supply chains to protect the digital ecosystem. Non-compliance may result in penalties of up to 2% of revenue.
Specifically created to support national plans surrounding cyber security, the new Critical Entities Resilience (CER) standards represent a significant development for regulated industries including the financial sector. If there are any breaches, all important organisations and bodies must notify the authorities or face severe financial penalties.
Moving forward with legislation by backing up data
Businesses operating in the EU must also demonstrate their ability to restore backups to location separated from the source, both physically and logically, in line with DORA; backup data must also be securely protected from degradation or tampering and unauthorised access (immutable).
Because the backup system is one of the most likely targets for an attacker, DORA-regulated entities must be able to demonstrate what safeguards are in place. This is why financial services organisations should use solutions that already meet stringent requirements for the sector, so documentation is readily available during an audit.
Compliance brings economic benefit
For those financial services organisations that are exempt from these current and upcoming directives, this is no time to sit back and relax. These requirements are in place for a purpose. Every day, there are cyberattacks, and there are more and more significant occurrences. Meeting the minimum requirements doesn’t mean you are safe.
There are lessons to be learned from the articles in DORA. The directive’s size and importance as a significant regulatory requirement can paint a vivid picture of the current landscape in which EU financial services operate. By putting them into practice, organisations will significantly improve their cyber resilience and make sure that sensitive financial services data is better shielded from bad actors. For this reason, investments in a proactive compliance strategy may enable financial services firms to maintain a competitive edge.