In today's rapidly evolving technological landscape, cybercriminals are adapting and developing more sophisticated attacks than ever before. The financial sector experienced significant challenges in 2023 due to various factors, including web application and API attacks. Simultaneously, the European Union (EU) is introducing new regulations to enhance the digital resilience of the financial sector. This article explores the current cybersecurity landscape and the significance of the EU's Digital Operational Resilience Act (DORA) for the entities it affects.
The digital shift enables 24/7 transactions from home through services like digital wallets and online banking. But, what happens if technology malfunctions or faces disruptions? Our reliance on digital services demands not only development but also the strengthening of our resilience against cyberattacks. "The High Stakes of Innovation - Attack Trends in Financial Services" report highlights that 2023 has been a critical year for cybersecurity within the financial sector. Their research provides insights into the emerging threats in 2023 and an indication of what financial institutions need to prepare for.
Increased digital finance, more cyber risks
Our daily reliance on financial services is steadily increasing, placing high demands on ongoing development. Meanwhile, cyberattacks against financial services and applications increased by a staggering 65% between Q2 2022 and the Q2 of 2023, amounting to 9 billion attacks during that period. Layer 3 and 4 Distributed Denial of Service (DDoS) attacks have seen a notable surge in the financial sector, surpassing even the gaming industry as the most affected sector. One reason behind this increase is believed to have motives related to the Russia-Ukraine conflict. Regionally, Europe, the Middle East, and Africa (EMEA) account for the largest share of DDoS attacks at 63.52%, nearly double that of the second most affected region.
The report also reveals a significant 69% increase in malicious bot requests targeting users and their sensitive data. These attacks encompass breaches of user accounts and underscore the potential dangers to data collection within financial services.
Digital Operational Resilience Act
The increased threats in 2023 present significant challenges and trials for cybersecurity within the financial sector. The trends in attacks have been multifaceted and alarming in their scope. The Digital Operational Resilience Act (DORA) is a new EU regulation that entered into force on 15 December, 2022, with the aim of establishing a common framework for managing digital operational resilience within the financial sector. The core objective of the regulation is to enhance the financial sector's resilience against cyberattacks and risks related to information and communication technology (ICT). By January 17, 2025, the financial sector must comply with the DORA regulation.
The regulation will impact a broad spectrum of financial entities, including banks, securities firms, insurance companies, and other financial service providers, as well as third-party providers of critical services to these entities. The requirements for financial entities and service providers include the identification and management of ICT risks, incident reporting, and the establishment of recovery plans to minimize disruptions during ICT outages. DORA has posed both a challenge and opportunity for the financial sector to enhance its digital operational resilience.
Core tenets of DORA summarised
❖ ICT Risk Management: Identify and document all ICT-related risks and develop risk management strategies.
❖ Incident Reporting: Report serious incidents that may affect services and functions within defined timeframes to supervisory authorities.
❖ Operational Resilience Testing: Conduct regular tests, including scenario-based tests, performance tests, penetration tests, and exercises to ensure operational resilience and establish recovery time objectives.
❖Third-Party ICT Risks: Identify and assess risks associated with third-party providers, include requirements in contracts, and monitor their compliance.
❖ Information Sharing: Collaborate with other financial organizations and authorities to share cybersecurity information and report incidents to supervisory authorities.
Many of these principles have been included in various regulations such as ICT guidelines, PSD2, and NIS2. However, DORA goes further by establishing detailed requirements, particularly focused on risks arising from third-party ICT providers. These risks must now be identified, evaluated, documented, and continuously monitored to comply with DORA's provisions.
Challenges in implementing DORA
DORA mandates that the board of directors assumes comprehensive responsibility for establishing and monitoring an effective ICT risk management framework. This entails implementing strategies, clarifying role responsibilities, and managing the ICT budget, including training. Furthermore, third-party ICT service providers must be approved and continually monitored for compliance with DORA.
The implementation of DORA requirements can be challenging and costly, particularly for smaller companies with limited resources. Technical upgrades, security measures, training, and skill development are among the challenges that companies may encounter. Cybersecurity is a priority that cannot be ignored within the financial sector, and DORA represents a significant milestone in strengthening the industry's digital operational resilience in an increasingly digitized world.
Do you need help with the implementation of DORA?
SVEIC offers services to meet the requirements and implement best practices according to the DORA regulation.
