Insurance Day is part of Maritime Intelligence

This site is operated by a business or businesses owned by Maritime Insights & Intelligence Limited, registered in England and Wales with company number 13831625 and address c/o Hackwood Secretaries Limited, One Silk Street, London EC2Y 8HQ, United Kingdom. Lloyd’s List Intelligence is a trading name of Maritime Insights & Intelligence Limited. Lloyd’s is the registered trademark of the Society Incorporated by the Lloyd’s Act 1871 by the name of Lloyd’s.

This copy is for your personal, non-commercial use. For high-quality copies or electronic reprints for distribution to colleagues or customers, please call UK support +44 (0)20 3377 3996 / APAC support at +65 6508 2430

Printed By

UsernamePublicRestriction

Ensuring compliance with the Digital Operational Resilience Act

As the financial sector becomes increasingly reliant on digital technologies, ensuring operational resilience is essential

With just two months to go until Dora comes into effect, financial institutions must implement robust security protocols

The Digital Operational Resilience Act (Dora), which comes into full effect on January 17, 2025, represents a legislative effort to enhance the operational resilience of financial institutions within the EU.

As the financial sector becomes increasingly reliant on digital technologies, ensuring robust operational resilience is essential. Dora establishes a comprehensive framework that mandates financial entities to develop and maintain strong operational resilience capabilities, including risk management processes for information and communication technologies (ICT).

Dora emphasises the need for effective IT security measures and data governance, providing guidelines for how financial institutions should view digital threats and maintain the integrity and availability of data. Financial institutions, with just two months until Dora comes into effect, must implement robust security protocols, conduct regular security testing and develop incident response plans to minimise the impact of cyber threats. Such organisations should consult with trusted partners to create a comprehensive cyber risk profile and ensure readiness in time.

 

Vendor risk assessments

Organisations may encounter several challenges when implementing and managing compliance with Dora.

One significant hurdle is the complexity of the regulatory requirements, which necessitates a comprehensive understanding of both internal systems and third-party relationships. Organisations must understand their risk profile to identify areas where attacks will have the greatest impact and cause the most loss. Real-time, continuous understanding and information about a company’s risk, rather than an annual, moment-in-time assessment, is crucial to not only being Dora-compliant but also resilient to cyber attacks.

It is not just first-party risk firms need to be conscious of and Dora expects financial institutions to conduct thorough vendor risk assessments across their entire ICT supply chain, a process that can be resource-intensive and time-consuming. Incidents such as the MOVEit and Ivanti breaches demonstrate the importance of monitoring vendor risk and how even robust internal security measures can be undermined by weaknesses in third parties.

Companies that wish to be compliant with regulations and resilient to cyber attacks must understand the interconnectedness of financial institutions and their third-party service providers. Establishing clear contractual agreements and conducting thorough due diligence on third-party vendors are essential for ensuring compliance and enhancing overall resilience.

However, businesses must also be aware of how to turn their vendor risk assessments into action­able material. Quantitative risk assessments can help translate the potential risk of third-party vendors into financial terms, allowing for a clearer understanding of the potential financial impact of cyber threats. The Resilience Solution, for example, provides in-house cyber risk quantification modelling to deliver detailed risk analysis for clients, and provide them with a more comprehensive and nuanced view of their overall risk profile. This approach helps businesses address the complexity of regulations and ensure they understand their cyber risk.

 

Incident response planning

Another critical challenge is ensuring consistent adherence to security protocols and incident response plans across diverse, often dispersed teams across multiple locations. This necessitates the development of robust training programs and the cultivation of a security culture, which can take time to establish.

A key aspect of Dora is fostering a risk management approach and culture within financial institutions. Organisations must cultivate an environment where employees are aware of potential risks and are encouraged to contribute to resilience efforts. Continuous learning and training programmes are vital for promoting this culture.

Companies must develop and deliver internal cyber incident and data breach exercises and be prepared for potential assessments. To help identify these gaps, Resilience offers breach and attack simulations to clients, using artificial intelligence modelling to deliver critical insights, highlighting security strengths and compliance gaps. These simulations help companies not only stay compliant, but also resilient to cyber attacks.

Furthermore, effective incident response plans are crucial in managing and mitigating the impact of cyber attacks. By proactively monitoring threats and developing recovery strategies, businesses can quickly identify, contain and minimise operational disruptions and financial losses.

 

The path to compliance

As cyber threats continuously evolve, maintaining an agile approach to risk management while adhering to compliance deadlines can prove daunting. Integrating Dora compliance into existing frameworks and processes may strain limited resources, part­icularly for smaller institutions that may lack the necessary infrastructure and expertise to meet these demands effectively.

Financial institutions must also navigate the need for transparent communication with regulatory bodies, executive teams and board members to be able to demonstrate compliance without compromising sensitive operational details. This delicate balance underscores the importance of a strategic, co-ordinated approach to achieving Dora compliance.

Moreover, comprehensive insurance coverage is becoming increasingly popular for companies to address and mitigate risks. Integrated security and insurance solutions assist businesses in underwriting risk, providing quantitative risk assessments, developing cyber action plans, providing proactive, comprehensive cyber resilience strategies for financial institutions and supporting them to comply with regulations like Dora.

Adopting these strategies will enable businesses to gain a clearer understanding of their risk profiles, shaping planning decisions, minimising losses and managing risk factors more effectively, and better align with robust regulatory frameworks such as Dora to ensure they can continue to operate securely and efficiently. 

 

Si West is director of customer engagement at Resilience

Related Content

Topics

UsernamePublicRestriction

Register

ID1150845

Ask The Analyst

Ask The Analyst - Ask Your Question Send your question to our team of expert analysts. You can: • Ask for background information on/explanation of articles in Insurance Day * • Find out more about our views on industry developments • Ask for an interpretation of market trends • Source supplementary data relating to articles • Request explanations to further your understanding of current issues (* This relates to any Insurance Day that is included as part of your subscription) We will do the research and get back to you personally with the information you need.

Your question has been successfully sent to the email address below and we will get back as soon as possible. my@email.address.

All fields are required.

Please make sure all fields are completed.

Please make sure you have filled out all fields

Please make sure you have filled out all fields

Please enter a valid e-mail address

Please enter a valid Phone Number

Ask your question to our analysts

Cancel