For businesses operating in the financial services (FS) arena, data has never been more important than it is today. When leveraged effectively, data holds the key to increased profit, boosted productivity, and improved customer service. Conversely – as we have seen with recent global disruption to the financial sector and may other verticals reliant on real-time transactional data – when timely and reliable access to this data is removed, by malicious or unintentional means, the negative reputational and business impact can be disastrous.   

It is exactly for these reasons that data is an exponentially increasing target for malicious actors who seek to extort FS businesses for their money. In fact, recent research discovered that three-in-five FS organisations (64%) were hit by ransomware attacks last year. Due to the sheer amount of sensitive, personal data that these organisations hold, the potential damage of such an attack carries business critical risk. 

This is also why governments across the world are rightly focusing their efforts on strengthening cyber resiliency of all highly regulated sectors through the introduction of new legislative and regulatory requirements. By enforcing failure of compliance with these regulations with very significant financial and reputational repercussions, the objective is avoid the even greater damage that can be caused to these critical national business sectors by external threat actors.  

A landscape full of directives

Across Europe, the recent introduction of many new directives, including the NIS2 (Network and Information Services version 2), the CER (Critical Entities Resiliency) and DORA (Digital Operational Resiliency Act), signifies a paradigm shift towards more proactive risk management. These regulations – which impact all businesses operating within the European Union - demand heightened cyber resilience and include non-compliance penalties. They signify a clear intent to safeguard critical and digital infrastructure.  

DORA, as one of the newest EU regulations, has become the subject of much attention in recent months. It was released in 2023 with a goal to strengthen cyber resilience for the financial market. With all financial institutions – including banks, insurance companies, payment and credit organisations and service providers - expected to be compliant by January next year, the clock is very much ticking to implement necessary tools and processes. 

DORA is all about boosting resilience for the increasingly globally interconnected, digital infrastructures of the FS sector. It requires companies to focus on a Digital Resilience Strategy accompanied by a Digital Resilience Framework. In fact, the 64-article EU-regulation mentions the word ‘recover’ 60 times. As such, when it comes to compliance with DORA, the importance of effective backup solutions cannot be underestimated. 

Legislated communication and transparency 

Financial services organisations need a comprehensive response plan that is regularly tested, rehearsed, and continually communicated with all key stakeholders. It is only then that they can be on the front foot and act quickly to ensure business resiliency. 

NIS2 for instance requires specific incident reporting and communications provisions. It also emphasizes the importance of certified secure supply chains to protect the digital ecosystem. Non-compliance may result in penalties of up to 2% of revenue. 

The new Critical Entities Resilience (CER) rules are a significant development for regulated industries such as energy, transportation, banking, and digital infrastructure, specifically designed to supplement national strategies around cyber security.  All critical entities are required to inform authorities of breaches, or risk major financial penalties.

Backing up to move forward with DORA compliance 

When it comes to DORA, businesses that operate in the EU will need to be able to prove that they are able to restore backups to another location physically and logically (segmented) from the source; and backup data securely protected from unauthorised access and corruption (immutable). 

Because the backup system is one of the most important targets for an attacker, DORA-regulated entities must be able to demonstrate what safeguards are in place. This is why FS organisations should use solutions that already meet stringent requirements for the sector, so documentation is readily available during an audit.

Preparations should already be well underway for FS organisations preparing for DORA to come into force next January. However, those who are running behind should start an internal project for DORA compliance as early as possible. This should include scoping, GAP-analysis, process validation and reporting validation. Fully understanding the regulation and how an organisation might be affected is the first step towards achieving compliance. 

Compliance is good for business

Even if FS businesses have discovered that they are not in scope for the upcoming directives, it doesn’t mean that they should just sit back and relax. There is a reason that these requirements exist. Attacks happen every day and major incidents are becoming increasingly frequent.

Although DORA is extensive and represents a substantial regulatory requirement for a broad range of EU financial entities, there are lessons that can be learnt from its articles. Implementing these can greatly increase an organisation’s cyber resilience and ensure that valuable FS data is better protected from attackers. This is why investing in a proactive approach to compliance could help FS organisations to stay one step ahead.