Operational resilience is now firmly established as a critical priority for financial firms across the world’s markets, driven by a fundamental requirement to strengthen trust and security in response to the growing risk of cyber-attacks and disruptions
– and underpinned by mandatory regulation.
According to Boston Consulting Group, cybercriminals are becoming more sophisticated thanks to innovations in artificial intelligence
(AI) and social engineering attacks and are 300 times more likely to target financial services firms than any other industry. This highlights the importance of being properly prepared.
It should come as little surprise then that Broadridge’s
2024 Digital Transformation & Next-Gen Technology Study revealed that in the next two years, financial firms will boost their investments in cybersecurity by nearly a third. Furthermore, cybersecurity is now the top capability that executives expect from
their technology vendors, outpacing their ability to deliver projects on time and on budget.
The regulatory lens is widening
Today’s digital world is increasingly complex, characterised by an expanding web of interconnected systems and data that is stored – and widely shared – online. This means that the financial services industry is facing a pressing challenge to improve its
operational resilience across all major markets and industry stakeholders.
It is worth noting that the number of attack vectors has multiplied in line with our growing reliance on technology, as well as the rise in remote working. A
survey by the BCI, the global body for resilience professionals, showed that three-quarters of respondents had seen a rise in attempted breaches over the past year, with two-fifths (40%) unfortunately becoming the victim of a successful cyber-attack.
Strengthening operational resilience is therefore critical for financial firms to help them minimise the risk of cyber-attacks and disruptions, whilst enabling efficient and effective recovery capabilities.
The world’s regulators agree. Regulatory bodies in key jurisdictions are increasingly focussing on this topic. In the UK, the Bank of England, Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) have added new rules related to critical
third-party dependencies within the financial services sector, with granular operational risk and resilience requirements for providers of mission critical systems.
Other jurisdictions, such as the Monetary Authority of Singapore (MAS) and Australian Securities and Investments Commission (ASIC), have implemented similar regulations. In Japan, the government introduced the Economic Security Promotion Act (ESPA) in May
2022 to reduce the country’s dependence on third party providers outside of its direct jurisdiction (and although this is not specific to financial services, it will impact the sector).
In July 2023, the US Securities and Exchange Commission (SEC) adopted final rules requiring companies subject to SEC reporting requirements under the Securities and Exchange Act of 1934, as amended, to disclose material cybersecurity incidents.
Regulators are understandably keen to gauge the dependencies and potential related systemic risks within the financial services sector as it becomes increasingly reliant on information and communication technology (ICT) tools and systems. The widening industry
adoption of AI is also on the regulatory radar as many of the AI providers are already within the ICT category due to their role as cloud technology providers, which could add to concentration risk.
Whilst the variety and volume of cyber-attacks has increased over time, with criminals becoming more organised and well-funded by crime syndicates and even nation states, there are other issues to consider.
The increasing prevalence of weather-based disruptions due to climate change is also under regulatory consideration whilst operational outages are hitting the headlines more regularly – such as
a significant Microsoft outage caused by a faulty software update by its cybersecurity provider CrowdStrike in July 2024.
Getting ready for DORA
The most comprehensive regulation currently governing operational resilience is the European Union’s (EU’s) Digital Operational Resilience Act (DORA), which mandates that in-scope firms – such as banks and investment firms – must implement robust measures
to manage and mitigate operational and system risks.
DORA has been
structured around five pillars, which cover ICT risk management, incident reporting, resiliency testing, third party risk management, and information sharing. The common thread that binds these pillars together is the protection of data as it passes through
both a financial institution and then the ecosystem around it, such as vendors and clients.
DORA puts a great deal of emphasis on the importance of sharing up-to-date information and intelligence about the latest cyber threats and vulnerabilities impacting the European financial services ecosystem. By prompting a more collaborative environment,
the hope is that firms can benefit from a repository of knowledge and experiences that will build their capacity to predict and address future challenges.
Another provision of DORA is the concept of continuous improvement. Certain elements within the regulation are prescriptive – for example, annual testing of all of a firm’s critical ICT systems, and (for some firms) advanced threat-led penetration testing
every three years. Beyond such requirements, it will be crucial for firms operating in the EU to ensure they refer back to the regulation to remain compliant whenever they change their IT footprint by acquiring new technology, which can introduce new vulnerabilities
for bad actors to target.
In terms of timings, firms need to now make sure that they are fully compliant with the new DORA regulation from 17 January 2025.
There is no time to waste – if firms have not started their planning already, then they must give it their immediate attention as it will take months of preparation to meet these obligations, especially when it comes to a full systems review and service
provider data reporting. We anticipate that buy-side firms in particular may well need to build in extra time to query information received from their outsourced service providers.
It is also important to note that enforcement action is very likely for those who drag their heels. With regulators prioritising operational resilience as outlined earlier in this article, they will be strict when it comes to clamping down on non-compliance
in order to demonstrate the importance they now place on cybersecurity and the reduction of operational risks.
DORA leaves it to the national supervisory authorities across the EU to determine the exact sanctions for non-compliance, including the monetary fines to be levied on non-compliant financial firms.
The pressure tightens on third party providers
Whilst resiliency measures have previously been quite inward looking, with firms focused on getting their own house in order first, DORA will ensure they now need to extend this diligence externally across the third party vendors and strategic partners that
they work with.
Firms will need to conduct a more detailed analysis of the critical paths involved in their essential functions, which include trade flow data, settlement data, and any other data they collect, store or share.
This means that third party providers, as well as in-house IT systems, will come under increasing pressure. DORA requires that critical systems of all kinds, including those of service providers, have received the necessary attention and investment to provide
operationally resilient environments. This will necessitate a full review of a firm’s supply chain, including nth party dependencies that exist beyond the third party in a business relationship, regardless of their headquarters’ or providers’ location or regulatory
jurisdiction.
DORA therefore essentially compels more firms to work closely with their critical third party service providers to improve their threat assessments, cyber incident management, and overall resilience. It is ushering in an age of true partnerships – not simply
outsourcing a critical function and then thinking it is a burden removed.
This is a positive step towards a more harmonised EU framework that will serve to enhance the digital operational resilience of financial services across the region whilst also preventing the widespread contagion that would undermine the financial stability
of the entire bloc. It is also a likely sign of things to come in other markets around the world as regulators look for new ways to help the industry to protect itself against a new generation of threats.
A call for greater collaboration
The future resilience of the global financial services industry is dependent on collaboration and the sharing of best practices - an ethos that underpins DORA and other regulatory thinking in markets around the world.
Broadridge’s Building Resilience Across Borders report highlights the urgent need for firms to achieve higher standards of operational resilience,
drawing particular attention to DORA in Europe, which presents impacted firms with a complex challenge and a fast-approaching deadline.