Risk Management under the DORA Regulation

The financial sector is quite heavily regulated, and involves a lot of confidential data. You’d therefore expect that the sector fares better at data security than your average organisation.

What do the statistics say?

The public data set on the ICO (Information Commissioner’s Office) website shows that data security isn’t necessarily better for financial organisations.

Although the total number of data breaches – or rather, in those reported – decreased by 24% between 2019 and 2022 in the finance sector, the number of incidents increased by 99%.

Data breaches855752 (-12%)630 (-16%)648 (+3%)
Cyber attacks143245 (+71%)230 (-6%)285 (+23%)

Note 1: The ICO data set only provides the numbers for Q2 2019 until Q4 2022. So to account for seasonality, we’ve only looked at Q2–Q4 for all four years (2019–2022).
Note 2: The percentages in brackets indicate the % change compared to the previous year.

In fact, in 2020–2022, the financial sector was the second-most attacked sector, topped only by the retail and manufacturing sector.

This is particularly worrying when combined with the findings from IBM’s Cost of a Data Breach Report 2023, which put the average cost of a breach in 2023 at $5.90 million (about £4.70 million) for the financial sector – 33% more than the average across all sectors.

Admittedly, these numbers mostly reflect UK trends, but there’s no question that large EU banks are also being targeted, including the European Investment Bank, Deutsche Bank and ING Bank. That really shouldn’t surprise us – these are lucrative targets for cyber criminals.

Perhaps even more concerning to EU lawmakers is how dependent society at large is on banking and other financial services. If these are disrupted, everyday business activities can’t be completed – not just within the member state that bank is based but also across borders.

In turn, financial institutions heavily depend on ICT to be able to provide those services to begin with. This is often outsourced to third-party service providers, making it important that the supply chain is resilient too, not just the financial institutions themselves.

Such considerations were on EU lawmakers’ minds when they introduced DORA (Digital Operational Resilience Act). Although it’s an EU law, it will affect UK organisations too, if they operate in the EU.

Three key DORA requirements

There are three fundamental requirements to this regulation:

  1. Risk management
  2. Incident management
  3. Supply chain security

These drive the other, lower-level requirements in DORA.

However, we don’t know the full technical requirements yet, which are set by the three ESAs (European Supervisory Authorities). The drafts of these are due to be submitted to the European Commission by 17 January 2024, so we should know more by then.

ICT risk management requirements under DORA

In Chapter II, DORA recognises governance as a key part of the organisation’s ICT risk management framework. The Regulation makes the organisation’s management body responsible for implementing that framework, and accountable for generally managing ICT risk.

The ICT risk management framework itself must be strategic, documented and reviewed at least annually.

As part of that framework, organisations must also, among other things:

  • Identify all relevant assets;
  • Protect the confidentiality, integrity, availability and authenticity of their information;
  • Be able to detect potential network performance issues and ICT-related incidents;
  • Implement a “comprehensive” ICT business continuity policy;
  • Have measures to quickly restore systems and recover data in the event of a disruption; and
  • Disclose “major” ICT-related incidents or vulnerabilities.

Bear in mind that there are various exemptions or simpler requirements depending on factors like organisation size.

Digital operational resilience strategy

At the heart of the risk management pillar – and DORA as a whole – lies the digital operational resilience strategy.

DORA was introduced to ensure that the EU financial infrastructure, considering its heavy reliance on ICT, can cope with the disruptions that seem inevitable when using anything ICT.

Ideally, that means avoiding disruptions altogether. However, since that’s unrealistic in the current climate, financial institutions and their supply chains should aim for resilience instead.

Achieving operational resilience means being able to quickly recover from disruptions, accidental or otherwise, and continue to provide an acceptable level of service during the recovery period.

What should organisations do now?

DORA doesn’t apply until 17 January 2025, so organisations have time before needing to be fully compliant.

However, irrespective of this new law, it’s important that organisations get their house in order where ICT asset and risk management are concerned.

Most organisations literally couldn’t do business if their ICT wasn’t working properly, and the above statistics show that it is at real risk.

With that in mind, organisations should treat ICT-related products and services like any other business asset. Track them in an asset inventory, then refer to that inventory when you identify, assess and respond to your risks.

Organisations could use the same methodology or approach they already use for other types of asset and risk management. So long as it produces consistent, valid and comparable results, it’ll work perfectly well for security and resilience purposes.

That said, remember to consider risks to the confidentiality, integrity, availability and authenticity of each ICT asset:

  1. Confidentiality: The asset is accessible to authorised people only.
  2. Integrity: The asset is protected from unauthorised modification, destruction and loss.
  3. Availability: The asset is available to authorised people as and when required.
  4. Authenticity: The validity of the asset cannot be denied.

It’s all too easy to forget that security breaches don’t need to involve a malicious attacker. Simply losing access to an asset, for example, can be just as problematic.

To help navigate such security-specific challenges, organisations may find it useful to reference a best-practice standard like ISO 27005, which offers guidance on managing information security risks.

Certified DORA Foundation Training Course

You may also be interested in taking our Certified DORA Foundation Training Course.

This course covers:

  • An introduction to DORA and the regulatory landscape;
  • ICT risk management principles in DORA;
  • ICT incident management principles in DORA;
  • Resilience testing requirements;
  • Managing third-party risk; and
  • Information-sharing principles.

The course is the prerequisite to further specialist DORA training courses, including C-DORA Practitioner, C-DORA Compliance Officer and C-DORA Lead Auditor.