Digital operational resilience is a key issue for the financial sector, all the more so with the arrival of a major piece of European legislation on the matter: DORA.
Digital operational resilience refers to an organization’s ability to resist, adapt and recover from cyber incidents. It aims to ensure the continuity of essential operations despite an attack, outage, breach, or other type of incident.
A financial entity is resilient when it can develop, guarantee and reassess its operational integrity from a technological point of view, ensuring the full range of IT-related capabilities necessary to guarantee the security of the networks and information systems it uses, which underpin the ongoing provision of financial services. (DORA, Article 3)
The 4 components of digital operational resilience
Digital operational resilience is based on a holistic approach to cybersecurity that integrates technology, processes, policies, legal, human resources and organizational culture. It aims to reduce risk, minimize the impact of incidents and ensure business continuity while promoting continuous improvement in the security of the financial infrastructure.
Digital operational resilience revolves around those key pillars:
- Anticipation and prevention;
- Recovery and adaptation.
1. Anticipation and prevention
The implementation of appropriate security measures to reduce digital risk. This may include a Business Continuity Plan (BCP) and governance policy, the use of firewalls, antivirus softwares, intrusion detection systems, access controls, training… In short, all the tools and processes needed to anticipate and prevent cyber risks.
It’s monitoring incidents to reduce consequences. This involves continuous network monitoring, intrusion detection systems, event logs, and tools to analyze these logs for suspicious behavior or signs of malicious activity. In other words, all the measures needed to detect and mitigate an incident before it has any negative consequences.
In the event of an incident, implement an immediate, effective, and organized response to contain the risks. This involves applying the business continuity plan, mobilizing security teams, analyzing the root causes of the incident, collaborating with the relevant authorities, and internal/external communication. Those are all the processes needed to contain an incident and limit its consequences.
4. Recovery and adaptation
After an incident, restore the organization’s operations. This involves restoring systems from backup, implementing security patches, reviewing policies and procedures, and assessing damage and lessons learned. It’s all about getting back to normal and preventing another cyber incident.
The Digital Operational Resilience Act (DORA)
Digital operational resilience in the financial sector is the objective of the Digital Operational Resilience Act (DORA), a major piece of European Union legislation.
With DORA, defense is no longer enough, and resilience becomes a higher principle. Financial entities must no longer simply defend themselves against incidents and cyber-attacks; they must resist them, and pursue their operations.
It is essential that the financial sector complies with these new requirements, as DORA will be applicable in all EU countries from January 17, 2025. It complements the NIS2 Directive, another major EU text on cybersecurity for key entities.
Digital operational resilience: what’s at stake for the financial sector?
Digital operational resilience is of paramount importance to the financial sector, given the specific challenges it faces.
Safeguarding financial assets
The financial sector manages high-value assets, such as funds, sensitive customer data, account information and financial transactions. Cyber resilience is essential to protect these assets against attacks, data breaches, and fraud to maintain customer confidence and avoid financial loss.
Ensuring operations continuity
Financial institutions play a vital economic role, providing essential financial services. However, cyber attacks can lead to service interruptions, system failures, and significant disruption. Resilience aims to minimize the impact of these incidents, preserve business continuity and reduce financial losses, thereby preserving the financial sector’s stability.
Financial institutions are subject to a body of cybersecurity regulations. They must comply with them to protect customer information, prevent money laundering, combat the financing of terrorism, and so on. It is essential to comply with these regulatory imperatives by implementing appropriate measures.
Cybersecurity risks are constantly evolving, with the regular emergence of new threats, vulnerabilities, and attack techniques. Resilience requires financial institutions to actively manage these risks by identifying vulnerabilities, monitoring suspicious activity, strengthening defenses, and developing incident response plans.
Preserving the reputation
Cybersecurity incidents can damage the reputation of financial institutions, with long-term consequences for their business. Resilience helps preserve reputation by minimizing data loss, ensuring a rapid and effective response to incidents, and implementing preventive measures to reduce risk.
Operational resilience testing to detect and prioritize vulnerabilities
Several measures need to be taken to comply with DORA and meet the challenges of digital operational resilience.
These include security testing. DORA stipulates that financial entities must submit “at least once a year, all ICT systems and applications that support critical or important functions to appropriate tests.” (Article 24.6). These tests are grouped in a global program that adopts a risk-based approach. It encompasses a series of assessments, tests, methodologies and tools.
As a specialist in Offensive Security, Yogosha offers various approaches to vulnerability detection, such as Penetration Testing as a Service (PtaaS) and Bug Bounty.
- Pentest as a Service: a security audit launched in less than a week for a fixed price. Uncover most of the vulnerabilities in a product and assess its security level at a given time, or plan several pen tests throughout your development cycle as part of a DevSecOps approach.
- Bug bounty: an in-depth vulnerability hunt with the security researchers of the Yogosha Strike Force. Identify the most critical vulnerabilities with a pay-for-results logic. No vulnerabilities = no expenses: you’re only rewarded for exploitable results.
Naturally, all our operations with financial sector players are carried out in strict compliance with the new DORA requirements.
Want to know more? Please feel free to contact us!