Traffic_analyzer | Digitalvision Vectors | Getty Images
Financial services companies and their digital technology suppliers are under intense pressure to achieve compliance with strict new rules from the EU that require them to boost their cyber resilience.
By the start of next year, financial services firms and their technology suppliers will have to make sure that they’re in compliance with a new incoming law from the European Union known as DORA, or the Digital Operational Resilience Act.
CNBC runs through what you need to know about DORA — including what it is, why it matters, and what banks are doing to make sure they’re prepared for it.
What is DORA?
DORA requires banks, insurance companies and investment to strengthen their IT security. The EU regulation also seeks to ensure the financial services industry is resilient in the event of a severe disruption to operations.
Such disruptions could include a ransomware attack that causes a financial company’s computers to shut down, or a DDOS (distributed denial of service) attack that forces a firm’s website to go offline.
The regulation also seeks to help firms avoid major outage events, such as the historic IT meltdown last month caused by cyber firm CrowdStrike when a simple software update issued by the company forced Microsoft’s Windows operating system to crash.
Multiple banks, payment firms and investment companies — from JPMorgan Chase and Santander, to Visa and Charles Schwab — were unable to provide service due to the outage. It took these firms several hours to restore service to consumers.
In the future, such an event would fall under the type of service disruption that would face scrutiny under the EU’s incoming rules.
Mike Sleightholme, president of fintech firm Broadridge International, notes that a standout factor of DORA is that it doesn’t just focus on what banks do to ensure resiliency — it also takes a close look at firms’ tech suppliers.
Under DORA, banks will be required to undertake rigorous IT risk management, incident management, classification and reporting, digital operational resilience testing, information and intelligence sharing in relation to cyber threats and vulnerabilities, and measures to manage third-party risks.
Firms will be required to conduct assessments of “concentration risk” related to the outsourcing of critical or important operational functions to external companies.
These IT providers often deliver “critical digital services to customers,” said Joe Vaccaro, general manager of Cisco-owned internet quality monitoring firm ThousandEyes.
“These third-party providers must now be part of the testing and reporting process, meaning financial services companies need to adopt solutions that help them uncover and map these sometimes hidden dependencies with providers,” he told CNBC.
Banks will also have to “expand their ability to assure the delivery and performance of digital experiences across not just the infrastructure they own, but also the one they don’t,” Vaccaro added.
When does the law apply? » …