In January, in just a few months, the DORA regulation will start to apply for the financial sector. It entails higher security requirements for the entire financial sector. In this blog post we will clarify what DORA means and explain more about two important areas that DORA addresses – network segmentation and secure updates.
The financial sector exposed to many cyberattacks – needs to increase security
The International Monetary Fund, IMF, wrote in a report this spring that the financial sector is “uniquely exposed to cyber risks”. The reason is that they handle large amounts of sensitive data and transactions – something that is often a target for cybercriminals. According to the report, financial companies are the target of nearly a fifth of all attacks, and banks are the most vulnerable.
For the sake of society as a whole, all actors in the financial sector therefore need to ensure that they increase their cybersecurity, because incidents in the financial sector can threaten financial and economic stability. The large number of attacks means that it is not enough to simply try to protect yourself by preventing an attack from having any consequences. Instead, security resilience becomes crucial, i.e. the ability to be prepared for an event, to know what and where to report an incident, and to then get your services up and running again after an event occurs. Documenting these routines and processes is also important. All this is also the reason why the new DORA regulation will come into effect shortly.
What is DORA and to whom does the new security regulation apply?
DORA (Digital Operational Resilience Act) is the new joint EU regulatory framework for effective and comprehensive management of digital risks in the financial industry, which comes into force in January 2025.
The purpose behind the new rules is that there has been an increased need for regulation and supervision as a result of growing vulnerabilities to IT risks and also a need for more uniform regulations.
The regulation covers the financial sector and in total more than 22,000 companies operating within the EU are affected. It is not only the traditional players such as banks, investment firms and insurance companies that are affected, but also crypto asset providers, data reporting providers and cloud service providers. The latter are actors who are not as used to dealing with comprehensive regulations.
DORA sets requirements for the security of these companies’ network and information systems, i.e. electronic communication networks that allow the transmission of signals in any way, regardless of the type of information being transmitted. Such security is usually ensured through the use of so-called ICT services, i.e. digital services that are continuously provided through Information and Communication Technology systems. ICT services should therefore be understood as all the company’s digital services and processes, including cloud services.
What does DORA mean for the financial market’s security work?
The Dora regulation places higher demands on the organisations concerned in four different areas:
1. Risk management
DORA requires resilient IT systems and tools, along with the ability to identify, classify and document measures for protection, detection and prevention efforts. All actors must be able to respond to attacks, regain control, learn and evolve – with communication plans in place.
2. Incident reporting
DORA requires the affected organisations to review their existing processes for incident reporting. They must, according to the framework, monitor, report and log all incidents. Incidents that are classified as serious must also be reported within four hours after they are detected, which is significantly stricter than the requirements in, for example, the NIS 2 regulation.
3. Security tests
DORA requires that the organisations concerned apply various types of security tests, for example penetration tests, seedability scans, gap analyses, physical security audits and that, where necessary, external certified expertise is used in security testing.
4. Third party risk management
DORA places new, higher requirements on financial actors’ agreements with their suppliers, which includes, among other things, review and control of third-party risks within ICT. They must also have strategies to manage the risks that these suppliers can introduce and when the need arises one must be able to change suppliers.
In order for these areas to function correctly and in interaction with each other, a good governance model for cybersecurity must be in place. It must ensure roles and responsibilities, the digital operational strategy and policies, and monitor and review risk management.
DORA involves sanctions for those who do not meet the security requirements
Those who do not meet the requirements of DORA may be subject to GDPR-class sanctions with fines that may amount to ten percent of the turnover or three times the profit that the financial actor has made as a result of the rule violation. Finansinspektionen will be the competent Swedish supervisory authority according to DORA.
DORA applies above NIS 2 for the financial sector
The EU directive NIS2 will soon be implemented and will include more social sectors than before with stricter requirements for risk management and reporting.
The NIS2 directive’s regulations overlap in many cases with DORA’s. For the financial sector, however, it is Dora with its tougher rules that apply over NIS2.
Network segmentation an important part of the work with security according to DORA
According to Article 9 of DORA, financial actors must design the infrastructure for network connection in a way that allows it to be immediately separated or segmented in order to minimise and prevent proliferation, especially for interconnected financial processes – i.e. you need to work with network segmentation.
First, however, you need to define the business’s most critical information. Because it is neither practical nor financially justifiable to protect all information in the same way. To protect what is selected as critical information and critical systems, network segmentation must then be applied, through a combination of physical and logical separation.
Network segmentation in data networks involves dividing a data network into sub-networks, each a network segment using a combination of physical and logical separation. Physical separation means that security zones are defined and distributed on different physical hardware. Logical separation means that different zones or network traffic are allowed to coexist on the same hardware or in the same network cable, which makes it less clear and thus leads to lower confidence in the strength of the separation mechanism than in the case of physical separation.
Network segmentation is needed as it limits the damage of a cyberattack. Without segmentation, there is a risk that sensitive information can be leaked or manipulated, and that malware and ransomware can spread unchecked and quickly. Attackers don’t have to go straight for the target, such as the bank account information. Instead, they nestle in via weak points far out in the architecture, via email or customer service, as a way to reach the goal. State-supported attackers are also patient, are prepared to work long-term, do everything in small steps and, unfortunately, are often one step ahead. The reality is that the company’s management and control systems can already be attacked without being noticed. Yet.
Read more about network segmentation and see our five-step guide to start planning your segmentation project.
Updated systems important according to DORA – this is how you make a secure update
According to Article 16 of DORA, the relevant organisations shall minimise the effects of ICT risk through the use of sound, resilient and up-to-date ICT systems, ICT protocols and ICT tools suitable to support the performance of operations and the provision of services and on a adequately protect the confidentiality, availability, integrity or authenticity of the data in the network and information systems.
Updated systems are an important part of being able to maintain the security of the digital information contained in the systems. However, the update may involve a security risk and to avoid that and to maintain the integrity and availability of the systems and to be able to make secure updates, special solutions are required.
One way to do a secure update is to use a data diode that ensures one-way communication. The data diode is connected so that information can be imported into the system, but since no traffic can be transmitted in the opposite direction, information leakage is made impossible.
Read more about secure updates.
If you need more help with your security challenges, please contact us!