New regulations are forcing organizations to take cybersecurity more seriously.
Sean Gladwell | moment | Getty Images
Tough new European Union regulations requiring banks to strengthen their cybersecurity systems officially come into force on Friday – but many financial services companies in the bloc are yet to fully comply with the rules.
European Union Digital Operational Resilience Actor DORA, requires both financial services companies and their technology suppliers to harden their IT systems to ensure industry resilience in the event of a cyberattack or other form of disruption. It entered into force on January 17.
Penalties for breaches of the new legislation can be significant. Financial services companies that violate the new rules could face fines of up to 2% of annual global revenue. Individual directors can also be held liable for violations and face penalties of up to 1 million euros ($1 million).
So far, the compliance rate among financial services companies with the new rules has been mixed, according to Harvey Jung, chief privacy officer and deputy general counsel at IT giant Cisco.
“I think we saw a mixed bag,” Jang told CNBC in an interview. “Of course, more mature companies will continue to look at this for at least a year – if not longer.”
“We're really trying to build this compliance program, but it's very complex. I think that's the challenge. We've also seen that with the GDPR and other broad legislation that is subject to interpretation – what does compliance actually mean? It means different things to different people,” he said. .
This lack of common understanding of what constitutes strong DORA compliance has in turn led many organizations to ramp up security standards to a level where they actually exceed the “baseline” of what is expected of most companies, Gang added.
Are financial institutions ready?
Under DORA, financial companies will be required to conduct rigorous IT risk and incident management, classification and reporting, operational resilience testing, share intelligence on cyber threats and vulnerabilities, and take third-party risk management measures.
Companies will also be required to conduct assessments of “concentration risks” associated with outsourcing critical or important operational functions to external companies.
A A census-level survey of 200 UK chief information security officers commissioned by Orange Cyberdefensethe cybersecurity division of the French telecommunications company orangeIt showed that 43% of financial institutions in Britain have not yet fully complied with DORA.
This is worrying because, although the UK is now outside the EU, DORA applies to all financial entities operating within EU jurisdictions – even if they are based outside the bloc.
“While it is clear that DORA has no legal reach in the UK, entities here that operate or provide services to entities in the EU will be subject to regulation,” Richard Lindsay, principal advisory counsel at Orange Cyberdefense, told CNBC.
He added that the main challenge facing many financial institutions when it comes to achieving DORA compliance is managing third-party IT providers.
“Financial institutions operate within a very complex, multi-layered digital ecosystem,” Lindsay said. “Tracking and ensuring that all parts of this system are clearly compliant with DORA-related elements will require a new mindset, solutions, and resources.”
Banks are also adding higher levels of scrutiny to contract negotiations with technology suppliers due to DORA's stringent requirements, Jang said.
Cisco's chief privacy officer told CNBC that he believes there is consensus when it comes to the principles and spirit of the law. However, he added, “Any legislation is a product of compromise, and therefore, when it becomes more directive, it becomes difficult.”
“The principles we agree with, but any legislation is the product of compromise, and the more prescriptive it becomes, the more difficult it becomes.”
However, despite the challenges, the widespread expectation among experts is that it will not be long until banks and other financial institutions achieve compliance.
“Banks in Europe are already compliant with significant regulations covering the majority of areas that fall under DORA,” Fabio Colombo, head of EMEA financial services security at Accenture, told CNBC.
“As a result, financial services organizations already have mature governance and compliance capabilities, with existing incident reporting processes and robust ICT risk frameworks.”
Risks faced by IT suppliers
IT providers can also be fined under DORA. The rules threaten to impose fees of up to 1% of average daily revenues worldwide for up to six months.
“These sanctions are necessary,” Brian Fox, chief technology officer at software supply chain management company Sonatype, told CNBC. “They are powerful motivators, pushing leaders to take compliance and operational resilience more seriously than ever before.”
Orange Cyberdefense's Lindsay said there was a long-term risk that financial services companies would eventually move their critical security functions and services in-house.
“Advances in technology may allow financial institutions to move services in-house, simplifying this aspect and reducing the risk of non-compliance,” he said.
“In both cases, existing contracts will need to be updated to ensure and monitor compliance under the contract between the entity and provider,” Lindsay added.
Meanwhile, there are many other cybersecurity-focused regulations that organizations must adhere to, such as Network and Information Security Directive 2, or NIS 2And the Cyber Resilience Act. The former entered Effective in October.
“As with any new regulation, there will certainly be a transition period as organizations adapt to the new requirements and standards,” Sonatype's Fox told CNBC. “This is the beginning of a long journey toward improving software security and resiliency.”
