Financial services regulations can feel like a non-stop conveyor belt, with new frameworks and compliance requirements being regularly introduced.
But as a sector supporting critical national infrastructure, and one that is often a popular target for cyber criminals and fraudsters alike, such stringent demands are much needed.
There’s no getting around it, financial regulation must be watertight.
The EU’s Digital Operational Resilience Act (DORA) is one such example of new cybersecurity regulation for the financial services sector.
SVP & GM EMEA at Veeam.
Yet, six months after its deadline passed, research has revealed that 96% of EMEA financial services organizations still feel they need to improve their resilience in order to meet DORA’s compliance requirements.
So, what’s holding financial services back? And how can financial services organizations across the EU use DORA as a wakeup call to not just meet requirements, but to materially improve their data resilience?
Hit snooze
When the European Commission was drafting DORA, their thoughts would have been on its impact on data resilience, not on the stress levels of IT management and security teams.
But that’s where it’s had one of the largest unintended impacts. 41% of organizations have cited the increased pressure on IT and security teams as a significant challenge when meeting DORA requirements.
Stress and burnout have long plagued the wider cybersecurity sector due to the high-pressure, fast-paced nature of the work. But meeting DORA requirements doesn’t have to contribute quite so much to this problem.
Rather than piling more pressure on already overwhelmed teams and adding DORA compliance as yet another project to complete, organizations should take a more holistic, ground-up approach.
By using data resilience maturity models (DRMM), organizations can wrap their DORA compliance into a wider data resilience plan, rather than viewing it as a new, separate activity.
Not only will this reduce the immediate pressure faced by IT and security teams, but it will also result in better data resilience overall.
Rather than jumping between half a dozen tasks, including day-to-day resilience issues and compliance, security and IT teams will be able to focus on data resilience as a whole.
Time to test
More practically, some of the biggest technical sticking points for DORA were around testing. Nearly a quarter (24%) of EMEA financial organizations have not established data recovery and continuity testing, and 23% have yet to carry out digital operational resilience testing.
And with breaches continually becoming more commonplace, organizations can’t afford to put off testing any longer. In fact, it’s arguably more important in some cases than the data resilience measures themselves.
After all, there’s not much point in implementing new measures if the first time they’re used is during an incident – they could fail right when they’re needed most.
While it can be daunting to run that first test for fear of what might be uncovered, it’s often the best starting point when addressing data resilience. Not only does DORA demand it, but it will boost resilience beyond even the other requirements of the regulation.
Forget sheep, start counting third parties
One of the most surprisingly troublesome DORA requirements was third-party oversight. Over a third (34%) of organizations called it the ‘most challenging to implement’, and a fifth (20%) have yet to do so. But why?
While most organizations have been able to implement the majority of DORA’s requirements internally, it’s another story entirely externally.
It boils down to the fact that most organizations simply underestimated the scope of their third-party networks. And with the average enterprise operating with 88 third party partners, the number of network connections soon snowballs out of control.
Combine this with the main motivation for third party engagement - to take some of the workload off the organization - and it can suddenly become easy to switch off and underestimate the size of the network.
Where previously, financial organizations may have been content to rely on third-party vendors with ‘black box’ solutions, DORA asks them to interrogate further. Before, organizations could well have been reliant on a solution, assuming that resilience was built in when they were left vulnerable.
But now, financial services organizations are being asked to dig deeper, to demand Shared Responsibility Models that outline the security responsibilities of each half of the partnership.
There’s no easy fix for this. Financial services organizations across the EU will need to re-negotiate their Service Level Agreements (SLAs) across the board with all third-party partners. No small ask, and one that will require security, risk, management, and legal teams all on board to achieve - but an essential part of improving data resilience.
Get up, and get moving
Sadly, EMEA financial services organizations can’t improve their confidence in data resilience overnight. It will be a long path, and there will likely be more than a few bumps ahead.
But, if they start the work now, approach data resilience holistically, rather than in a piecemeal, ‘regulation by regulation’ approach, then their teams and their data resilience will get a major boost.
Rather than putting it off for another day, organizations should ask the hard questions of their resilience today. Using DORA as both a wakeup call, and a springboard, they can assess not only their own capabilities but also those of their third-party supplier networks.
It doesn’t matter how much advice they receive; they’ll never be able to address their unique data resilience weaknesses are unless they know what they are. And that can only be uncovered through rigorous testing.
It may well knock organizational confidence in the short-term, as many have already found. But if the right action is taken, long-term it will build stronger confidence than ever in data resilience, both in terms of DORA and beyond.
The best data recovery software; tried and tested by our experts.
This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.