Category Archives: DORA

What Banks Need to Know About DORA

what banks need to know about dora - findings.co

As of January 16, the enforcement period for the EU’s Digital Operational Resilience Act (DORA) has commenced. This critical regulation, which mandates compliance by January 2025, has a global influence, affecting not only European banks but also financial institutions worldwide, including those in the United States. 

Originating within the European Union, DORA was initiated in September 2020 as part of the EU’s digital finance strategy and was finalized by the European Parliament in November 2022. The regulation aims to standardize security protocols for network and information systems across financial entities and their critical ICT service providers.

Key Provisions of DORA:

  • Risk Management: Financial institutions are mandated to develop robust tools for effective risk management. This includes continuous monitoring and rapid response mechanisms to detect and mitigate unusual activities.

  • Third-Party Risk Management: Banks must collaborate with third-party service providers to ensure that data processing and monitoring frameworks are uniformly applied. Contracts should explicitly specify compliance obligations.

  • Incident Reporting: Institutions need to establish systems to log IT security incidents, classifying them according to criteria set by European supervisory authorities.

  • Information Sharing: Encouraging the exchange of information related to digital threats enhances collective digital resilience and risk awareness.

  • Resilience Testing: Regular testing is required to assess the efficacy of risk management frameworks. This includes conducting red and purple team exercises that help identify and rectify vulnerabilities.

Implications for Banks

For banks, adapting to DORA means revisiting and potentially overhauling their existing security policies and practices. While the 2025 deadline may seem distant, the comprehensive preparations necessary to address potential vulnerabilities and implement effective solutions demand immediate action.

Banks should start with a security maturity assessment to pinpoint current capabilities and deficiencies in relation to DORA standards. This assessment will guide the development of a strategic approach to compliance, highlighting areas needing urgent attention.

Technical Perspectives on Compliance and Vendor Risk Management

For those who weren’t able to attend our live webinar with the London stock exchange, please refer to our youtube video below where you will get all the scoop. However, I will share key talking points that are important for banks to know. 

  1. Continuous Monitoring and Dynamic Risk Assessment:

    • CEO and co-founder of Findings, Kobi Freedman emphasized the shift from periodic risk assessments to continuous monitoring. This change is crucial as the threat landscape evolves rapidly, necessitating real-time insights into potential vulnerabilities within and beyond the immediate vendor base.

    • The idea is to scale up the monitoring and compliance checks from a select group of vendors to nearly all partners in the supply chain, thereby increasing visibility and reducing risks across the board.

  2. Automating Compliance for Efficiency:

    • Leveraging technology to automate compliance processes is critical due to the expansive scope of DORA. Automation helps manage the vast array of data and compliance requirements efficiently, reducing the manual workload and potential for human error.

    • Technologies that facilitate automated monitoring and reporting can significantly streamline the compliance efforts required under DORA, particularly for third-party risk management.

  3. Enhanced Board Involvement and Governance:

    • It was noted that DORA places significant responsibilities on the board and upper management to ensure compliance. This includes adopting and enforcing policies, overseeing the implementation of risk management strategies, and ensuring continuous improvement in digital resilience.

    • The board’s role in setting the risk tolerance, approving budgets for cybersecurity initiatives, and ensuring that governance frameworks are in place and effective, is critical to meeting DORA’s requirements.

  4. Legal and Regulatory Preparedness:

    • From a legal perspective, companies are encouraged to prepare not only for DORA but also for overlapping regulations in different jurisdictions. This requires a holistic approach to compliance that considers various regulatory frameworks and ensures that practices meet the highest standards.

    • Preparing for DORA involves understanding its specific requirements and how they interact with other regulatory frameworks like GDPR or the upcoming regulations on AI and data usage.

  5. Incident Response and Crisis Management:

    • Effective incident response protocols were discussed, stressing the importance of having a clear plan in place before any security breach occurs. This includes defining roles, responsibilities, and communication strategies to ensure a coordinated response to incidents.

    • The need for a structured approach to handling the aftermath of an incident was also highlighted, focusing on minimizing damage, managing communications, and learning from each event to improve future resilience.

Get Prepared

As the adoption of DORA progresses, banks must ensure they meet the regulatory standards by the 2025 deadline. Initiating preparations early will undoubtedly facilitate better compliance and enhanced security outcomes. By incorporating these strategies and aligning with expert service providers, banks can effectively navigate the challenges posed by DORA, ensuring operational resilience in an increasingly digital world.

Supply Chain Risk Monitoring as a Service
Join us today
Supply Chain Risk Monitoring as a Service
Join us today
Waitlist signup

Welcome to Findings

Let's go over some details to setup your tailor-made account


Please fill your details below and click "Next" to create your account:

Payment

Feature
Startup
Business
Enterprise
Price
$10 / Month
$10 / Month
$25 / Month
VDPaaS
Alerts
Assessments
Integrated Apps
API
Join today and scan ALL YOUR VENDORS for FREE*
* FREE VENDOR SCAN for all of your vendors during your first month.
Feature
Startup
Business
Enterprise
Price
$25 / Month
$200 / Month*
Contact Us
Free vendors scan for 1 month
Findings search engine
Rapid security and compliance profile
Profile/showcase engagements per year
5
40
Unlimited
Multi/unlimited showcase use cases
Showcase compliance badge for your website
Best practice self-assessment
1 Findings or 1 BYOC
Assessment response automation
Personalizable, branded security & compliance showcase page
File/evidence repository
OKTA
DKIM
Out-of-the-box TPRM
20 vendors +
20 rating scans
50 vendors +
50 rating scans
Support
Email
Priority via Phone / Email
Internal Workflows (SO/BO)
Onboarding and customization account setup
*Price for every 40 engagements
Automate assessment response and showcase your cybersecurity posture
Supply Chain Risk Monitoring as a Service
Join us today
.
.
.
.

Thank you for signing up!

Supply Chain Risk Monitoring as a Service
Join us today
.
.
.
.

Thank you for signing up!