Few industries are subject to as much regulation as the financial world. With the Digital Operational Resilience Act, European legislation will soon be added to increase the sector's resilience. And that is also important news for other sectors.
Society is becoming increasingly digital. This means that risks are changing - also in the financial sector. Banks and insurance companies now own a lot of data. And so, it has become a top priority to secure it against cybercriminals.
"There are many actors who, quite rightly, impose guidelines that we must adhere to," says Karine Goris, Chief Security Officer at Belfius and chair of the Febelfin SECURSYS committee. "Just think of the European Banking Authority, the European Central Bank, national banks and the European Securities and Markets Authority ESMA, or commercial parties such as Swift. There are also frameworks within the banks themselves that we use to protect ourselves."
The European Union is now introducing a new set of guidelines with the Digital Operational Resilience Act (DORA). "There are many independent initiatives, but I suspect they will consolidate over the next five years, including through the European NIS legislation. The financial sector is a canary in the coal mine in that respect. By taking a good look at what is happening at the banks now, other sectors can take a head start and increase their cyber maturity,' says Karine Goris.
The DORA legislation has five focus points: ICT risk management, ICT-related incident management, digital operational resilience testing, third-party management, and information sharing. "For the systemic banks, it is more an evolution than a revolution," says Goris, "but DORA still introduces many new and relevant rules."
For example, there are guidelines to test hardware or software more strictly in order to find out where the weaknesses and strengths lie proactively. The external parties that want to cooperate with banks and insurers will also be screened more from now on.
"By taking a good look at what is happening at the banks now, others can take a head start." Karine Goris, Chief Security Officer at Belfius
"DORA builds on existing frameworks but adds certain nuances. For example, every bank already has an incident management process, which states what should happen if something goes wrong. Cyber incidents must now be reported to the National Bank. But the new legislation centralizes the incident reporting obligation at the Center for Cybersecurity Belgium (CCB). That is an excellent thing because it gives us much better insight into the working methods of cyber criminals. The CCB can better inform companies and government agencies, allowing them to work more specifically on their vulnerabilities or limiting the impact of an incident," says Jan De Bondt, Head of Cybersecurity Advisory Services at Orange Cyberdefense.
Sharing is one of DORA's core values. "By reporting as an organization what you have experienced and which attacks you see popping up, the entire sector can better defend itself. And not only our sector, other industries and agencies such as the police could also use that knowledge,' says Goris.
"Thinking carefully about the potential impact of DORA and then creating an action plan will play an important role in the cyber security of companies in the coming years." – Jan De Bondt, Head of Cybersecurity Advisory at Orange Cyberdefense
DORA's announcement does not mean that the legislation will come into force from tomorrow, but banks and insurers had better be aware of the changing rules. De Bondt: 'At Orange Cyberdefense, we want to serve as a sounding board for organizations working on cybersecurity. Thinking carefully about the potential impact of DORA and then making an action plan to increase operational resilience will play an important role in this in the coming years."
Karine Goris and Dan Cimpean (BDO) explained them in detail during our event 'Orange Cyberdefense Live - Ahead of the storm'.
Download the recording of their session.