Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
New regulations are forcing organizations to take cybersecurity more seriously.
Sean Gladwell | Moment | fake images
Strict new European Union regulations requiring banks to beef up their cybersecurity systems officially come into effect on Friday, but many of the bloc’s financial services firms are still not fully complying with the rules.
The EU Digital Operational Resilience Actor DORA, requires both financial services companies and their technology providers to strengthen their IT systems to ensure the industry is resilient in the event of a cyberattack or any other form of disruption. It came into effect on January 17.
The penalties for non-compliance with the new legislation can be substantial. Financial services companies that fail to comply with the new rules can face fines of up to 2% of annual global revenue. Individual managers could also be held liable for violations and face penalties of up to €1 million ($1 million).
So far, the rate of compliance with the new rules among financial services companies has been mixed, according to Harvey Jang, chief privacy officer and deputy general counsel at IT giant Cisco.
“I think we’ve seen a mix of things,” Jang told CNBC in an interview. “Of course, more mature-stage companies are further along in this by at least a year, if not longer.”
“We’re really trying to build this compliance program, but it’s very complex. I think that’s the challenge. We also saw this with GDPR and other broad laws that are subject to interpretation: What does compliance actually mean? It means different things to different people “, said.
This lack of a common understanding of what is considered strong DORA compliance has in turn led many institutions to raise security standards to the point that they are actually exceeding the “baseline” of what is expected. of most companies, Jang added.
Are financial institutions prepared?
Under DORA, financial companies will be required to conduct rigorous IT risk and incident management, triage and reporting, operational resilience testing, intelligence sharing on cyber threats and vulnerabilities, and measures to manage third-party risks.
Companies will also be required to carry out “concentration risk” assessments related to outsourcing critical or important operational functions to external companies.
TO Census-wide survey of 200 UK CIOs commissioned by Orange Cyberdefensethe cybersecurity division of the French telecommunications company Orangeshowed that 43% of financial institutions in Britain are still not fully compliant with DORA.
This is worrying because, although the UK is now outside the European Union, DORA applies to all financial entities operating within EU jurisdictions, even if they are based outside the bloc.
“While it is clear that DORA has no legal reach in the UK, entities based here and operating or providing services to entities in the EU will be subject to the regulation,” Richard Lindsay, senior advisory consultant at Orange, told CNBC. Cyberdefense.
He added that the main challenge for many financial institutions when it comes to achieving DORA compliance has been managing their critical third-party IT providers.
“Financial institutions operate within a hugely complex, multi-layered digital ecosystem,” Lindsay said. “Tracking and ensuring that all parts of this system are evidently compliant with the relevant elements of DORA will require a new mindset, solutions and resources.”
Banks are also adding greater levels of scrutiny into their contractual negotiations with technology providers due to DORA’s strict requirements, Jang said.
Cisco’s chief privacy officer told CNBC that he believes there is alignment when it comes to the principles and spirit of the law. However, he added, “any legislation is a product of compromise and therefore, as they become more prescriptive, it becomes challenging.”
“We agree with the principles, but any legislation is a product of compromise and as they become more prescriptive it becomes challenging.”
Still, despite the challenges, the general expectation among experts is that it won’t be long until banks and other financial institutions achieve compliance.
“Banks in Europe already comply with important regulations covering most of the areas included in DORA,” Fabio Colombo, Accenture financial services security leader in EMEA, told CNBC.
“As a result, financial services institutions already have mature governance and compliance capabilities, with existing incident reporting processes and robust ICT risk frameworks.”
Risks for IT providers
IT providers can also be fined under DORA. The rules threaten levies of up to 1% of global average daily income for up to six months.
“These sanctions are necessary,” Brian Fox, chief technology officer at software supply chain management company Sonatype, told CNBC. “They are a powerful motivator that pushes leaders to take compliance and operational resilience more seriously than ever.”
Orange Cyberdefense’s Lindsay said there is a long-term risk that financial services firms will end up moving critical security functions and services in-house.
“Advances in technology can allow financial institutions to move services back in-house, simplifying this aspect and reducing the risk of default,” he said.
“Either way, existing contracts will need to be updated to ensure compliance is contractually mandated and monitored between the entity and the provider,” Lindsay added.
Meanwhile, there are other cybersecurity-focused regulations that organizations will have to accept, such as the Network and Information Security Directive 2, or NIS 2and the Cyber Resilience Law. The first one entered effective in October.
“As with any new regulation, there will certainly be a transition period as organizations adjust to the new requirements and standards,” Sonatype’s Fox told CNBC. “This is the beginning of a long journey toward improving software security and resiliency.”
