For financial services companies, including banks, insurance companies, and investment firms, the DORA (Digital Operational Resilience) Act is a new piece of EU regulation that threatens to pose a bigger challenge than GDPR. A lot of work will need to be done to ensure compliance by the deadline, January 17, 2025.
DORA is about enhancing the IT security of financial entities. Like NIS2 (see previous blogs), the regulation reflects the EU’s concern about increasingly sophisticated cyber threats, of well-orchestrated attacks bringing down major European financial institutions, perhaps risking the economic stability of the region. And the recent CrowdStrike outage, following a flawed security upgrade, highlights how it doesn’t have to be a cyberattack to cause large-scale disruption when there is so much dependency on ubiquitous technology.
The new regulations demand greater resilience through improved risk and incident management, with more effective reporting and testing around business continuity plans. Third-party services are also covered by DORA and organisations will need capabilities to quickly share details of any incident that breaches their security.
Legacy problems
From our work with the financial services sector, we know how challenging the regulations will be. The reality is that many companies are running legacy systems, including mainframes, that make it hard to add extra layers of resilience. Upgrades will pose a big challenge, from a topology point of view.
Many firms have looked to transform the way IT is delivered and consumed through multi-cloud strategies, running parts of the business from different environments, but this can make it hard to implement across-the-board security improvements, or have the single-window visibility needed for the high-level reporting that the new regulations demand.
Much more than a tick-box exercise, DORA compliance will prompt a rethink around IT strategy. Large organisations have been on a vendor consolidation journey, trying to simplify the management of their IT estate by using fewer suppliers. A challenge with the new Act is that it promotes the idea that resilience comes from having diverse providers.
DORA documentation makes a specific reference to cloud computing in the pursuit of diverse suppliers. Cloud providers argue that their hyperscale platforms already address many of the issues raised in DORA, but each company’s use of cloud services will inevitably be different and require close examination to ensure compliance.
Single-dashboard view
At BT, with our focus on security across hybrid environments, we are well positioned, not just to advise on DORA but to implement products and services that will achieve the levels of resilience needed. Our Hybrid Cloud Backup and Replication solution is a good example.
We are already seeing activity in the sector around how deep backup processes go, a need to maintain a whole new cloud infrastructure for failover of everything from large systems to voice recordings. It’s made more complicated by an intricate chain of processes – personal banking might run in one cloud and a broker service from another – that can be a big challenge if you are required to make them demonstrably more resilient.
To address the complexity, BT is transforming cloud workload management and resilience with Global Fabric, our revolutionary Network-as-a-Service platform. Not only does it improve visibility across multi-cloud estates with wider and deeper real-time monitoring, it provides pre-emptive AI-powered fault resolution, and the ability to change network routing according to business needs. It’s a good fit for financial services companies looking to simplify the steps towards achieving DORA compliance.
Real-time monitoring uses automated systems to ‘see’ particular event sequences happening over a period of time that may signify a potential service outage. AI is used to de-duplicate the ‘noise’ for a clearer monitoring picture, leaving a single abstracted view of alerts, correlated to network elements. And because any changes to network routing are software defined, it allows geographic control over where sensitive data travels, which is an effective way to comply with data sovereignty regulations.
Our range of products cover every security layer, from the data centre to endpoint device with everything on the network in between. We can provide full visibility across physical, virtual, and cloud environments, not just to monitor threats but to simplify the deployment and ongoing management of security tools and services.
In terms of incident management and immutable backups, our experience would suggest that many financial services companies have at least some elements in place, but they may need to be fine-tuned to be DORA compliant. Our experts are on hand to advise and make sure organisations are able to get across the line by the end of the year.
Pre-register today for our exclusive webinar on Thursday October 24th, 4pm GMT, where our experts will guide you through the complexities of compliance and share actionable insights on building a more resilient IT infrastructure.