Earlier this year, DORA – the Digital Operational Resilience Act – came into force, set on bolstering IT security resilience for Financial Services across the EU. This regulation is an essential shift, especially for an industry that has seen a significant growth in cloud and holds so much sensitive data.
While the hybrid cloud offers various benefits, from scalability to cost savings if optimised, many organisations aren’t sufficiently monitoring this complex environment. Security is therefore a big concern, with 42% of global IT and security leaders citing cloud applications as a common ransomware threat vector. This is often a result of threat actors exploiting a weakness or vulnerability and then hiding in cloud to core blind spots before deploying malware or exfiltrating data.
DORA will play a significant role in reducing this risk for financial institutions, yet compliance and risk management can be daunting for business leaders without extensive experience in cybersecurity and limited insight into their IT infrastructure.
We caught up with Mark Coates, VP EMEA at Gigamon to get his insights on the upcoming changes. For those that aren’t sure where to start, Mark has outlined four things every CEO in financial services should know about this regulation.
Organisations have two years to comply
DORA signifies a huge change for the financial services industry, and one that organisations need to start implementing now if they’re going to meet compliance by 2025. While it officially came into force in January this year, there’s now a two-year period for the financial services industry – including insurers, crypto-asset service providers and crowdfunding service providers – to make serious changes to security culture. Organisations need to comply by January 17th 2025, and key pillars include risk management, incident management and information sharing arrangements.
Security is no longer just security’s problem
One big shift that financial institutions need to acknowledge is that DORA mandates the board is accountable for IT risk. It is these board members that could face large fines or even jail time if they cannot comply. Ignorance is no excuse – DORA expects board members to be educated on the threats facing their business and to recognise how best to protect their hybrid cloud environment.
There is no need, however, for leaders to react to this regulation and cloud security threats by applying rigour and lockdown to their environments. Instead, financial organisations need to embrace freedom in the mobile workplace with a ‘single source of truth’ across all data in motion. They want to be promoting an open compute philosophy that gives them freedom to innovate, while also putting security posture and compliance front of mind.
Cloud consolidation may not be simple
The unexpected spiralling cost of cloud has recently become a stumbling block for organisations. As we’re in a challenging economic climate, many are looking to optimise and consolidate what is already in place to reduce complexity while saving costs. Yet consolidation of cloud vendors may not be simple for financial institutions. DORA focuses considerably on third-party risk, as well as the concentration of risk in terms of relying on a single third-party supplier. In other words, it is essential to consider the risk of consolidation, and a multi-cloud strategy is likely to provide more digital resilience.
However, optimisation and reducing complexity remains key for cutting cloud costs – as well as compliance with DORA. This is only possible with insight into all traffic to identify exactly where bottlenecks and blind spots exist, otherwise known as deep observability.
Deep observability is critical for compliance
Across pillars, DORA specifies that organisations need to continuously identify risks to set-up protection and prevention measures, promptly detect anomalous activities and quickly identify and eliminate any weaknesses, deficiencies or gaps in digital operations. To achieve this, security teams need real-time, network-level intelligence to track activity across a network and eradicate blind spots, powered by deep observability. This means going beyond current log and trace-based monitoring tools, optimising and amplifying the power of these solutions to rapidly detect suspicious activity and act accordingly.
It is this deep observability that will reduce complexity, cost and also enable the open compute philosophy needed by business leaders in order to achieve greater understanding, as well as accountability, of cyber risk. Both DORA compliance and the hybrid cloud present incredible business opportunity for enterprises if they get them right. Whilst this is no simple task, it is far more achievable if teams have total visibility across their digital infrastructure.
To find out more, reach out to our team to discuss further:
03333 442204