What is the Digital Operational Resilience Act?

Earlier this year Bank of America experienced a data breach that impacted over 57,000 of its customers with the exposure of personally identifiable information such as social security numbers, names and dates of birth of deferred compensation plans.

The cause of the breach? A threat actor compromised the third-party IT provider Infosys McCamish Systems. This was after a breach almost a year before via another third-party service, NCB Management Services, a company that provides accounts receivable management to businesses throughout the U.S. 

With healthcare and finance currently ranked as the industries with the highest number of third-party attacks, security teams are doing everything in their power to implement systems and processes to defend against these attacks. One strategy financial services in the EU have taken to better withstand cyber and operational disruptions is adhering to DORA regulations or the Digital Operational Resilience Act. 

What is Operational Resilience?

Operational resilience is the ability of an organization to maintain its services in the event of a disruption due to a disruption in operations. This disruption could be due to cybersecurity attacks, theft, geo-political events such as war or conflicts, supply chain disruption, economic or political shifts, or natural disasters. As financial service organizations rely increasingly on third parties for critical services, it is essential that they are able to assure continuous operations in the event of disruptions due to any of these factors. Operational resilience in the face of these events ensures critical services such as payments, in addition to adaptability to changing circumstances, such as rerouting resources.  

4 Key Components of DORA Related to Operational Resilience

By ensuring your organization has these key components, you will also be taking the proper steps towards ensuring operational resilience under the Digital Operational Resilience Act. 

These steps include: 

• Developing a Robust Risk Management Framework. A comprehensive ICT risk management framework in alignment with DORA’s requirements that focuses on risk identification, continuous monitoring, and mitigation strategies.
• Establishing an Incident Response Plan. This should include detection, containment, and recovery from disruptions along with ensuring that communication protocols and escalation procedures are in place.
• Regular Resilience Testing. This includes conducting regular operational resilience tests such as penetration testing, stress testing, and continuity exercises. These tests must be conducted at least annually. 
• Third-Party Risk Management (TPRM). Establishing best practices for assessing and monitoring the operational resilience of third-party vendors and creating contingency plans in case of third-party failures. 

Key elements include: 

1) ICT Risk Management Framework

To ensure businesses can more effectively manage third-party risk and build TPRM into their business strategy, DORA mandates that financial businesses implement a comprehensive information and communications technology (ICT) risk management framework. This framework should include taking inventory of all third-party services, also known as the Register of Information, in addition to risk identification, assessment, and mitigation strategies. Priority should be given to managing risks related to critical services. The ICT risk management framework is aimed at streamlining risk management in the financial industry and developing a standardized approach to compliance with all relevant EU regulations. 

2) DORA’s Incident Reporting and Management Requirements

DORA requires financial services organizations to implement a process for reporting ICT-related security incidents and report them according to the timeline of the geographic region. These incidents should be reported using standardized templates to make it easier for authorities to understand and address the risks. Both having a process in place and standardizing the method of reporting facilitates faster reporting and response to these incidents. This requirement also includes establishing clear procedures for mitigation of any incident to allow business continuity or minimize any disruptions. 

3) Operational Resilience Testing

Financial service organizations must periodically test – at a minimum of once a year – against threats to evaluate their operational resilience and improve it where necessary. 

DORA’s testing requirements include: 

• Vulnerability assessment testing. Vulnerability assessment and penetration testing should be conducted on a regular basis according to the risk profile of the ICT service to identify those that could disrupt critical services. Vulnerabilities should be remediated in a timely fashion through mitigation or patch management. 
• Threat-led penetration testing (TLPT). This includes the simulation of cyberattacks and the evaluation of the organization’s ability to respond to tests. Still under development, the TPLP standards will most likely be based on an EU framework of threat-intelligence-based ethical red team testing known as TIBER-EU, but mandate stricter requirements for financial services organizations than in the past. 
• ICT risk assessments. This includes disaster recovery testing and business continuity testing to evaluate the organization’s preparedness in the event of an operational disruption or security incident. These risk assessments should be tailored according to the size and needs of the organization (e.g. larger organizations should have more sophisticated risk assessments). 
• Scenario-based testing. The organization should be prepared in the event of different scenarios that should be simulated to test the efficiency of the incident response team. Typically a different scenario should be created for each DORA requirement. 

4) Third-Party Risk Management (TPRM)

One of the main goals of DORA is to develop more effective ICT risk management among EU-centered financial services organizations. The regulation aims at minimizing risk of dependency on specific third-party services that might fail to deliver business continuity during a security incident or other operational failure. Another important goal of DORA is that by strengthening third-party resilience, businesses will strengthen the resilience of the entire financial industry as a whole. The increased regulatory focus on the cyber risks posed by outsourcing to third parties is a major trend in TPRM we will continue to see in the future.

Technology Solutions for Operational Resilience

Although many solutions exist to increase operations resilience today, we also see a number of trends. With the increasing migration to the cloud, for example, many solutions offer multi-cloud or hybrid strategies that ensure that workloads are distributed across different cloud platforms or from cloud to on-premise to reduce the risk of a single point of failure. They also offer effective methods for backing up and recovering data. Both of these capabilities are essential for the financial sector, which deals with vast amounts of sensitive data. 

Additional trends include implementing zero trust architecture to prevent unauthorized access to systems and networks, automating incident response and remediation, and leveraging artificial intelligence (AI). 

Leveraging Automation and AI for the Digital Operational Resilience Act

AI tools can assist in different aspects of helping to strengthen your organization’s digital operational resilience. For example, AI can help automate and validate automated responses of security questionnaires against critical documents and cyber posture tests on the evaluator’s end while also completing questionnaires automatically on the supplier’s end using relevant vendor documents as references. At the same time, it can use AI in vendor risk assessments to collect data from various sources, such as vendor documents and dynamic data, and assess how both internal and third-party controls currently meet your organization’s regulatory and policy requirements. With its ability to analyze large amounts of data in real time, AI can detect and prioritize security incidents, responding to both known and unknown threats before an attack occurs. In addition, AI can analyze data and detect unusual patterns to identify emerging threats at the earliest stages of an attack. For this reason, AI is also now an essential tool in incident response as well as monitoring efforts. 

Cybersecurity and Resilience Tools for the Digital Operational Resilience Act

In addition to technological trends, different cybersecurity tools and platforms also exist to achieve operational resilience. 

These include: 

• Security Information and Event Management (SIEM) that collect and analyze data from different systems, offering logging and real-time analysis so that it can respond to threats across the organization. 
• Vulnerability management that identifies and manages vulnerabilities including CVEs, KVEs, or unpatched vulnerabilities, misconfigurations, and weak credentials, to prioritize and remediate them across an organization’s IT infrastructure. 
• Endpoint detection and response to monitor laptops, desktops, mobile, and IoT devices for security threats and respond to them in real-time. 
• Threat-led penetration testing (TLPT) to simulate real-world security incidents and evaluate your organization’s preparedness in the event of a similar attack. 
• Third-party risk management (TPRM) for monitoring and evaluating third-party risks in your supply chain while at the same time aligning with DORA’s regulations. 

Continuous Monitoring Solutions Under the Digital Operational Resilience Act

With the dynamic nature of networks, third-party services, and the emerging threat landscape, it is critical that financial services and other industries conduct continuous monitoring to detect threats and vulnerabilities in real time so that they can respond as quickly as possible to these threats. 

Organizations use a wide variety of different tools to address this challenge, including:

• Behavioral analytics tools to establish baselines for user behavior and easily identify anomalous patterns to proactively defend against security incidents. 
• Network performance monitoring that ensures different parts of your network such as firewall access, bandwidth usage, resource consumption, and uptime are performing optimally and identifies any issues as quickly as possible.  
• Cloud security posture management to monitor the cloud infrastructure for security issues such as misconfigurations and vulnerabilities. 
• Third-party risk management to continuously monitor third-party risks and ensure up-to-date compliance with relevant regulations. 

Ensuring Operational Resilience in Practice

One of the world’s leading insurance companies, Northern Standard, had been relying on spreadsheets to track the security posture of its suppliers and third parties. As the company grew to rely on over 250 suppliers, however, its third-party risk increased and it needed real-time insights into these evolving risks. As a financial service organization, Northern Standard also needed a solution to help it achieve DORA compliance, which emphasized third-party ICT risks. 

Using Panorays’ DNA Risk Score, Northern Standard was able to collect data from millions of data points, aligning outcomes with their KPIs and KRIs, to provide a precise cyber-risk rating of its third parties. At the same time, it eliminated its manual input by 75% through automation. With an accurate cyber score that reflects its true risk, Northern Standard could prioritize its third-party risk accordingly and remain compliant in an ever-evolving regulatory space. 

Common Pitfalls in Achieving Operational Resilience

Achieving operational resilience is a goal an organization must work towards constantly, with many challenges along the way. Here are a few examples of these challenges and how they can be addressed. 

Lack of Regular Testing

Many organizations, however, fail to test their organizational resilience on a regular basis. For example, most organizations only conduct penetration testing annually. This is also the requirement of the DORA regulation. Even if the penetration test fails to discover vulnerabilities in the network, however, that test is only valid for that static point in time – until there is an update in the technology or a change in the network. In addition, the cyber threat landscape is dynamic, with malicious threat actors developing more sophisticated attacks all the time. Effective TPRM includes continuous monitoring to identify new threats and vulnerabilities that are a result of the dynamic threat landscape and IT technology. 

Underestimating Third-Party Risks

Businesses underestimate third-party risks in two major ways. First, they lack visibility of their third-party network and the different dependencies within the supply chain. These business relationships are complex and dynamic and need to be managed in real time with various tools and technologies. Second, organizations are often unaware of which critical services these third parties support and are unable to prioritize the risks accordingly. This is essential in organizations that rely on dozens or even hundreds of third parties, with each business relationship bringing its own element of risk. Although not all risks need to be addressed, they do need to be categorized and evaluated for the level of risk they can potentially bring to the organization to correctly prioritize these risks. 

Inadequate Incident Response Plans (IRPs)

Since IRPs are usually executed after an attack, they are typically reactive rather than proactive. DORA addresses this challenge by emphasizing continuously monitoring and third-party risk management that takes a more proactive approach. In addition, many IRPs take a siloed approach and lack coordination with other areas, such as disaster recovery, business continuity, and vendor management. Finally, many IRPs do not include plans for third-party risks, which is a major emphasis of the DORA regulation. Third-party risk management also demands coordinated efforts between the third party and the organization, while most IRPs focus on internal risks within the organization.

Long-Term Benefits of Digital Operational Resilience Act Compliance

As more and more organizations adhere to the DORA standards, both within the financial services industry and beyond, they will position their organization to lead in the evolving regulatory landscape and gain a competitive edge in the market. 

Strengthening Cybersecurity and Risk Management

With its focus on ICT risk management frameworks, DORA helps to minimize the potential risks to a financial service in an industry with increasing reliance on third parties to outsource critical services that deal with sensitive data. This strengthens the financial industry as a whole, standardizing the regulatory process and making it easier for organizations to evaluate a vendor’s operational resilience, leading to a more stable financial system in the EU. In the long term, this stability will extend beyond the EU to the global community as well.  

Improved Stakeholder Trust and Confidence

As financial services organizations adopt DORA, it will become easier for customers to believe that their data is protected against a wide range of cybersecurity threats, not only from the customer but also its third-party services. Customers selecting DORA-compliant service providers can trust that these organizations are required to report incidents within a specified amount of time, adhere to specified risk management frameworks, monitor their third parties continuously for risks, and conduct penetration testing at regular intervals. Vendors adhering to these standards will offer organizations, regulators, investors, and additional stakeholders a more trustworthy option. 

Enhanced Business Continuity

DORA compliance also mandates specific practices to assure organizations that services will continue in the event of a cyberattack or other operational disruption. This includes requiring business continuity plans, backups, and tools that deliver real-time insights to allow for early warning systems. In addition, incident response plans must be tested to ensure that they meet recovery time objectives (RTOs) so that operations can be restored within a specific timeframe. 

Operational Resilience Under the Digital Operational Resilience Act

Rather than seeing DORA as another regulatory obligation that needs to be fulfilled, financial service organizations should consider viewing its requirements as an opportunity to build stronger and more resilient business operations across the industry as a whole. 

With its third-party cyber risk management platform, Panorays helps businesses consider this approach and take a proactive and contextual approach to meeting DORA standards, including: 

• Supply chain mapping that delivers visibility into third, fourth, and N-th party risks, including hidden vulnerabilities.
• DORA-specific questionnaires that sort your ICT vendors based on their level of criticality
• AI-powered cybersecurity questionnaires that cross-reference vendor certifications with questionnaire responses through document validation.
• A Risk Insights and Response portal that delivers real-time alerts on cyber events affecting your supply chain. 
• A DORA Register of Information that combines all financial entity, function, and ICT contractual arrangement data into a ready-to-go exported report.

Want to learn more about how Panorays can help you meet DORA compliance and strengthen your operational resilience? Get a demo today!

Digital Operational Resilience FAQs