Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
The new regulations are forcing organizations to take cybersecurity more seriously.
Sean Gladwell | moment | Getty Images
New European Union regulations requiring banks to strengthen their cyber security systems officially come into force on Friday – but many of the bloc’s financial services firms are still not in full compliance with the rules.
The EU Digital Operational Resilience Acto DORA, requires both financial services companies and their technology providers to strengthen their IT systems to ensure that the industry is resilient in the event of a cyber attack or any other form of disruption. It entered into force on January 17.
Penalties for violations of the new legislation can be substantial. Financial services firms that fail to comply with the new rules may face fines of up to 2% of annual global revenue. Individual managers could also be held liable for violations and face fines of up to 1 million euros ($1 million).
So far, the compliance rate among financial services companies with the new rules has been mixed, according to Harvey Jang, chief privacy officer and deputy general counsel of the IT giant Cisco.
“I think we’re seeing a mixed bag,” Jang told CNBC in an interview. “Certainly the more mature companies are looking ahead to this for at least a year – if not longer.”
“We really tried to build this compliance program, but it’s so complex. I think that’s the challenge. We also see this with GDPR and other broad legislation that is subject to interpretation – what does it really mean to comply? It means different things to different people,” he said.
This lack of a common understanding of what qualifies as robust compliance with DORA has in turn led many institutions to increase security standards to levels that actually exceed the “baseline” of what is expected of most part of the companies, Jang added.
Are financial institutions ready?
Under DORA, financial firms will be required to undertake rigorous IT risk and incident management, classification and reporting, operational resilience testing, intelligence sharing on cyber threats and vulnerabilities, and measures to manage third-party risks depart
Companies will also be required to conduct “concentration risk” assessments in relation to outsourcing critical or important operational functions to external companies.
A Census survey of 200 UK CIOs commissioned by Orange Cyberdefensethe cybersecurity division of the French telecommunications company Orangeshowed that 43% of financial institutions in Great Britain are still not fully compliant with DORA.
That’s a concern because, even though the UK is outside the European Union now, DORA applies to all financial entities operating in EU jurisdictions – even if they’re based outside the bloc.
“While it is clear that DORA has no legal reach in the UK, entities based here and operating or providing services to entities in the EU will be subject to the regulation,” Richard Lindsay, principal consultant at Orange Cyberdefense, said. told CNBC.
He added that the main challenge for many financial institutions when it comes to achieving DORA compliance has been managing their critical third-party IT providers.
“Financial institutions operate in a multi-layered and highly complex digital ecosystem,” said Lindsay. “Tracking and ensuring that all parts of this system clearly comply with the relevant elements of DORA will require new thinking, solutions and resources.”
Banks are also adding higher levels of scrutiny to their contract negotiations with technology providers because of DORA’s strict requirements, Jang said.
Cisco’s chief privacy officer told CNBC that he thinks there is an alignment when it comes to the principles and spirit of the law. However, he added, “any legislation is a product of compromise and so, as they become more prescriptive, then it becomes challenging.”
“The principles that agree, but any legislation is a product of compromise, and so as they become more prescriptive, then it becomes challenging.”
However, despite the challenges, the broad expectation among experts is that it will not be long until banks and other financial institutions achieve compliance.
“Banks in Europe have already complied with significant regulations covering most of the areas that are subject to DORA,” Fabio Colombo, EMEA head of financial services security at Accenture, told CNBC.
“As a result, financial services institutions already have mature governance and compliance capabilities in place, with existing incident reporting processes and solid ICT risk frameworks.”
Risks for IT suppliers
IT providers can also be fined under DORA. The rules threaten withdrawals of up to 1% of average daily revenue worldwide for up to six months.
“These sanctions are necessary,” Brian Fox, chief technology officer of supply chain management company Sonatype, told CNBC. “They are a powerful motivator, pushing leaders to take compliance and operational resilience more seriously than ever before.”
Orange Cyberdefense’s Lindsay said there is a longer-term risk that financial services firms will end up moving their critical security functions and services in-house.
“Advances in technology can allow financial institutions to move services in-house, simplifying this aspect and reducing the risk of non-compliance,” he said.
“However, existing contracts need to be updated to ensure that compliance is contractually mandated and monitored between the entity and the provider,” added Lindsay.
Meanwhile, there are many other regulations focused on cybersecurity that organizations must come to terms with, such as the Network and Information Security Directive 2, or NIS 2and the Cyber Resilient Act. The elder entered effective in October.
“As with any new regulation, there will certainly be a transition period as organizations adapt to the new requirements and standards,” Sonatype’s Fox told CNBC. “This is the beginning of a long journey towards improving the security and resilience of software.”
