October is Cybersecurity Awareness Month, a dedicated month for the public and private sectors to work together to raise awareness about the importance of cybersecurity. And this year’s theme, “Secure Our World,” couldn’t be more timely. With the growing number of cyberattacks worldwide, it’s becoming increasingly apparent that critical infrastructure is at risk. In fact, a recent report found that 43% of organizational leaders think that in the next two years, a cyberattack will materially affect their own organization.
Mandating cyber resilience
It’s imperative for critical infrastructure—and the supply chains it depends on— to function smoothly. Which is part of the motivation behind the European Union’s (EU) Digital Operational Resilience Act (DORA). This critical piece of legislation is part of a raft of new cybersecurity regulations around the world that mandate more robust security practices and emphasize greater cyber resilience.
Specifics of DORA compliance
There are five key pillars of DORA, which include: ICT risk management; Incident reporting; Digital operational resilience testing; ICT third-party risk management; and Sharing of information and intelligence.
DORA has several prescriptive requirements, but the compliance curve will be steep. Though it is specific to the EU, it also affects any financial institution or third-party vendor that does business in the EU. Failure to meet these requirements will result in a fine up to 10 million euros or 5% of annual turnover.
A cross-functional approach to DORA
To blunt the increasing velocity and volume of cyber threats, there must be more cross-national and cross-functional cybersecurity efforts. And DORA aims to do just that by creating a unified framework for financial services organizations across Europe. Traditional financial entities will be impacted by DORA, but it will also apply to: crypto-asset service providers; crowdfunding service providers; data reporting service providers; insurance and reinsurance undertakings; and more.
DORA won’t go into effect until January 17, 2025, but now is the time to act. It’s not just the responsibility of the security team—organizations need to ensure that multiple departments are on board with risk remediation, reporting requirements, incident response plan testing, supply chain risk, and more. With cooperation from legal, risk management, procurement, compliance, and other teams, CISOs will be able to not only meet their DORA goals, but become the pace-setters as well.
Get ahead of DORA now
To comply with DORA, organizations need to have a solid ICT risk management framework in place, as well as a data-driven approach to monitoring this framework. DORA also places a huge emphasis on regularly monitoring the security posture of the vendors in your third-party ecosystem, and keeping an eye on any issues that could affect your organization. And to minimize downtime, financial institutions need to have an incident response plan in place to report cybersecurity incidents quickly.
Another key component of DORA involves regularly testing your organization’s cyber resilience. These proactive steps can include: penetration tests; tabletop exercises; red teaming; vulnerability assessments; and more. Knowing where your organization stands now will make a big difference in how it handles a future cyberattack. Though DORA is getting a lot of attention right now, it’s important for organizations to still comply with other existing regulations, including the General Data Protection Regulation (GDPR).
Even though DORA won’t fully take effect for over a year, the time will certainly fly by. Just like that term paper we put off in high school, the due date sneaks up quicker than you might think. Boosting departments, their budgets, and employee skill sets now will pay off once January 2025 arrives. But until then, have a happy and resilient Cybersecurity Awareness Month.
For further guidance into DORA’s nuances and chart your path to readiness, visit https://securityscorecard.com/dora-compliance/.