Compliance & Risks
Is your organisation ready for DORA?
Financial services is unique among critical infrastructure sectors. Although it has spent heavily on cyber-resilience over the years, it remains among the most highly prized targets for threat actors. That’s part of the reason why reported data breaches in the vertical tripled annually in the year to June 2023. Threat actors are drawn by the wealth of personal and financial information that financial services firms hold, and the potential to access and siphon funds from customer accounts.
Save to Folio
That’s why the EU wants to harmonise and improve cyber-resilience in the sector, across the region, with its Digital Operational Resilience Act (DORA). UK providers such as banks, insurers, investment firms and payment service providers (plus their IT partners) that serve EU customers have one year until the compliance deadline.
What is required?
DORA is built on five key requirements:
1) IT risk management
Corporate leadership is now responsible for managing IT risk. They must develop a comprehensive risk management framework comprising: asset discovery and management, dependency mapping, continuous risk assessments, business impact analyses, BC/DR, and putting in place the required security controls and policies.
2) Incident reporting
The monitoring, logging, classifying and reporting of incidents is required according to a standardised methodology. Regulators and impacted parties may also need to be informed depending on incident severity.
3) Third-party IT risk
DORA also applies to financial sector IT providers. Financial services firms must assess and manage the cyber-resilience of their partners, and ensure risk is not concentrated in too few providers.
4) Resilience testing
Complying organisations must regularly test their IT systems, including via vulnerability and pen testing.
5) Information sharing
DORA promotes closer collaboration among complying organisations, to share lessons learned and enhance proactive risk mitigation steps.
A single source of truth for DORA compliance
With just a year to go until the 17 January 2025 compliance deadline, UK financial services firms could benefit from a centralised, platform-based approach to discovering, managing and mitigating risk across the entire attack surface. A single source of truth across email, hybrid cloud, endpoint, network and OT environments is the best way to deliver the threat protection, detection and response DORA requires for enhanced cyber-resilience.
This is the value that our flagship Trend Vision One platform offers financial services firms and their IT partners—enabling them to map and protect critical assets and respond rapidly to emerging threats.