Financial service organizations face uphill battle to comply with Digital Operational Resilience Act (DORA) required by January 2025
- SecurityScorecard examined 240 of the largest financial institutions in the European Union to assess cyber risk
- 84% of European Union’s financial institutions have been exposed to a fourth-party breach
- 82% of retail banks experienced a third-party breach in the last year, and 8% suffered from a breach in their own domain
LONDON – 26th July 2023 — SecurityScorecard today announced the release of a new report on the Digital Operational Resilience Act (DORA). The report analyzes 240 of the largest financial institutions in the European Union that must comply with the Digital Operational Resilience Act (DORA) by January 2025.
Key takeaways include:
- 78% of financial institutions experienced a third-party data breach in the past year. In the wake of attacks such as MOVEit and SolarWinds, cybersecurity regulations are increasing the need for comprehensive approaches to manage vendor risk and ensure compliance.
- 84% of financial institutions have been exposed to a fourth-party breach – illustrating how a vast web of unseen risks are hiding in plain sight. Visibility across the entire third-and fourth-party ecosystem is mission-critical, yet organizations lack consensus on how to measure and track fourth-party risk.
- Just 3% of the third-party vendors analyzed were breached – which underscores the massive butterfly effect that hackers are just starting to take advantage of. Spotlights a single supply chain attack’s dramatic impact on the threat landscape. Supply chain attacks attract cybercriminals because when widely used software is compromised, attackers gain access to potentially all organizations that use that software.
- 18% had a cybersecurity ‘C’ rating or below, making them four to seven times more likely to suffer a breach than those with an ‘A’ rating. Seven factors that drive cyber risk and can be predictive of a breach, including endpoint security; patching cadence; ransomware score; DNS health; IP reputation; cubit score; and network security.
“If nearly 20% of the most well-resourced financial entities in the EU have grades of C or worse, then it’s likely that the overall cyber resilience for other financial entities is actually much lower,” said Matthew McKenna, Chief Sales Officer, SecurityScorecard. “Financial entities need a trusted view of security risk. SecurityScorecard dynamically discovers risk across a customer’s attack surface, including their third- and fourth-party ecosystem, to dramatically reduce the risk of a compromise.”
Cyber risk by financial vertical:
- Retail banks at highest risk – 82% experienced a third-party breach in the last year, and 8% suffered from a breach in their own domain.
- Insurance firms have the lowest security scores – 24% have a ‘C’ security rating or below, and 78% reported a third- or fourth-party breach.
- Private equity firms prioritize cybersecurity – No breaches on their own domains, and achieved the highest ratings with only 9% at a ‘C’ rating or below.
DORA implications for third-party risk management
Managing third-party risk is a core theme of DORA and the EU approach to digital cyber risk more broadly. DORA requires financial entities to identify and assess all third-party risks. This includes threats to the confidentiality, integrity, and availability of data and systems, as well as risks to the financial entity’s ability to continue operating in the event of a third-party incident.
“Who financial entities choose to trust and how they sustain that trust are essential factors for the resilience of the EU’s financial services sector,” said Dan Morgan, Senior Government Affairs Director, Europe & APAC, SecurityScorecard. “Financial institutions must adopt an objective, standard measurement for third-party cyber risk to inform regulatory decisions, reduce cyber incidents, and comply with regulations, such as DORA in the EU.”
SecurityScorecard examined the cybersecurity profiles of the largest 240 financial institutions, including their third- and fourth-party vendor operations in Europe in 2023. This aggregates into an ecosystem of 26,142 domains. The top 240 were determined by current revenue, assets under management, or gross written premium. The 240 financial institutions included private equity, asset management, retail banks, Insurance, and pension funds.
This financial institution ecosystem was scored and analyzed against reported data breaches to demonstrate the cybersecurity posture of the financial market in the lead-up to the full implantation of DORA in January 2024.
SecurityScorecard ratings offer easy-to-read A-F ratings across ten risk factors (network security, DNS health, patching cadence, cubit score, endpoint security, IP reputation, web application security, hacker chatter, leaked credentials, and social engineering). Each factor has a numerical weight, which reflects the severity or risk that the factor contributes to an organization’s overall cybersecurity posture.
SecurityScorecard utilizes machine learning to optimize the weights of its risk factors. This data-driven approach maximizes the correlation between SecurityScorecard scores and the relative likelihood of a breach. Organizations with an ‘A’ rating are 7×7 times less likely to experience a cybersecurity breach. SecurityScorecard continuously monitors the threat landscape and evaluates new data sources and new analytics to better reflect cybersecurity risk.
- Read more about actions organizations can take to comply with DORA by downloading the new report.
- See the 2023 Cyentia Institute third- and fourth-party financial service report here.
- Find more about SecurityScorecard’s scoring methodology.
- Follow SecurityScorecard on LinkedIn.
Funded by world-class investors, including Evolution Equity Partners, Silver Lake Partners, Sequoia Capital, GV, Riverwood Capital, and others, SecurityScorecard is the global leader in cybersecurity ratings, response, and resilience, with more than 12 million companies continuously rated.
Founded in 2013 by security and risk experts Dr. Aleksandr Yampolskiy and Sam Kassoumeh, SecurityScorecard’s patented rating technology is used by over 25,000 organizations for enterprise risk management, third-party risk management, board reporting, due diligence, cyber insurance underwriting, and regulatory oversight.
SecurityScorecard makes the world a safer place by transforming the way companies understand, improve and communicate cybersecurity risk to their boards, employees, and vendors. SecurityScorecard is listed as a free cyber tool and service by the U.S. Cybersecurity & Infrastructure Security Agency (CISA). Every organization has the universal right to its trusted and transparent Instant SecurityScorecard rating. For more information, visit securityscorecard.com or connect with us on LinkedIn.
PR Manager, EMEA – SecurityScorecard