Recap: What is DORA?
In September 2020, the European Commission published a proposal for the regulation of the digital operational resilience of the financial sector. The proposed Digital Operational Resilience Act (DORA) is intended to address the increasing risks that stem from the financial sector's reliance on Information and Communication Technologies (ICT).
When will DORA go into effect?
DORA continues progressing through the European Union’s (EU’s) legislative process. The European Commission initially proposed DORA on 24 September 2020. On 24 November 2021, the Council of the EU adopted a mandate to enter trialogue negotiations between the European Council, European Commission, and the European Parliament.
On 10 May 2022, trialogue negotiations resulted in a Provisional Agreement “which will make sure the financial sector in Europe is able to maintain resilient operations through a severe operational disruption.” Many expect that DORA will be formally approved and adopted by the end of the year, at which point each EU Member State will pass DORA into law. The final agreed-upon text of DORA has not yet been released.
What are the expected changes to DORA as a result of the Provisional Agreement?
The European Council provided information on some of the changes that have occurred during the recent negotiation process. Some key highlights of the Provisional Agreement include:
- “The efforts asked from financial entities will be proportional to the potential risks.”
- “Under the provisional agreement, auditors will not be subject to DORA but will be part of a future review of the regulation, where a possible revision of the rules may be explored.”
- “Critical third-country ICT service providers to financial entities in the EU will be required to establish a subsidiary within the EU so that oversight can be properly implemented.”
- “As regards the interaction of DORA with the Network and Information Security (NIS) directive, under the provisional agreement financial entities will have full clarity on the different rules on digital operational resilience they need to comply with, in particular for those financial entities holding several authorizations and operating in different markets within the EU.”
Will DORA apply to me?
DORA is applicable to all financial entities regulated at the European Union level. This includes:
- Credit institutions, payment institutions, electronic money institutions, and investment firms.
- Crypto-asset service providers, central securities depositories, central counter parties, trading venues, trade repositories, and managers of alternative investment funds and management companies.
- Data reporting service providers, insurance and reinsurance undertakings, insurance intermediaries, and reinsurance intermediaries and ancillary insurance intermediaries.
- Institutions for occupational retirement pensions, credit rating agencies, statutory auditors and audit firms, and administrators of critical benchmarks and crowdfunding service providers.
How does RiskRecon help my organization meet the obligations set forth by DORA?
RiskRecon has always been committed to making the Internet more secure by delivering a trusted and transparent view into enterprise security programs, thereby enabling all organizations to adhere to security best practices. DORA has five key pillars and requirements, all of which RiskRecon can help to support. Here we will explore the highlights of each key principle and offer insight into how RiskRecon helps you meet the obligations in each category.
Pillar 1 - ICT Risk Management requirements (Articles 5 to 14)
- Identification: identify on a continuous basis all sources of ICT risk.
- Protection and prevention: set-up protection and prevention measures.
- Detection: promptly detect anomalous activities.
- Response and recovery: put in place dedicated and comprehensive business continuity policies and disaster and recovery plans as an integral part of the operational business continuity policy.
Our deep asset discovery and continuous assessments align closely with the identification and detection requirements set out by DORA. RiskRecon builds a detailed profile of every asset discovered, including software, IT Infrastructure, geolocation, hosting providers, third and fourth parties, domains, systems, and configurations. RiskRecon automatically and continuously assesses your vendors for compliance with your risk policy, making it easy for you to understand and act on risk. RiskRecon arms you with information that enables you and your management team to allocate assessment resources based on risk and enable you to prioritize remediation efforts.
When it comes to detection, response, and recovery, our customizable alerting features and interactive portal platform enable you to be aware when risks are found and to respond and mitigate ICT risks in the most efficient manner possible.
Pillar 2 - ICT incident reporting (Articles 15 to 20)
- The requirement to establish and implement a management process to monitor and log ICT-related incidents classified by materiality thresholds.
- Financial organizations will be required to submit initial, intermediate, and final reports informing their clients how the incident impacts their financial interests.
How RiskRecon can help:
RiskRecon monitors your vendors for data breach events that they have experienced. By monitoring breach events, the scope and scale of the breach, and the timeline for disclosure, you can be better informed of a vendor's information security program and identify potential gaps. RiskRecon also provides the ability to perform a detailed search to evaluate an organization's security posture, whether by asset value, issue severity, product utilization, hosting providers, or other critical areas of focus -- allowing organizations to monitor for dangerous conditions and take action before cybercriminals exploit them. RiskRecon's Compliance Module maps vendor compliance to an array of more than 20 industry security standards based on RiskRecon assessment evidence. By utilizing the Compliance Module, you can observe RiskRecon's evidence that helps to inform a vendor's compliance to a given standard.
Pillar 3 - Digital operational resilience testing (Articles 21 to 24)
- Periodic testing for preparedness and identification of weaknesses, deficiencies, or gaps, as well as promptly implementing corrective controls.
How RiskRecon can help:
Our continuous monitoring and comprehensive assessment process make it easy for you to understand the cybersecurity performance of your entire organization and your third and fourth parties. We monitor each organization's internet-facing assets (including systems hosted externally) and identify everything from systems with unpatched vulnerabilities to the presence of malware and command and control (C2) servers. The continuous assessment functionality allows you to understand the current cybersecurity posture of your portfolio and create and share action plans to mitigate risks, prioritize issue remediation based on asset value, and receive alerts when the things most important to you change.
Pillar 4 - ICT third-party risk (Articles 25 to 39)
- Monitoring of risk arising through ICT third-party providers
- Requirements to include detailed information regarding services and the confidentiality, integrity, and availability of data in service level agreements with third-party services.
- ICT third-party service providers deemed critical will be subjected to oversight via an oversight framework.
How RiskRecon can help:
RiskRecon not only allows for an easy yet comprehensive assessment of all third-party providers that you are looking to engage but also helps you discover sometimes forgotten or unknown third-party relationships. RiskRecon helps find gaps in governance processes by providing valuable information that can be used to help you identify systems that are hosted in unapproved locations. Once armed with an assessment, you can better evaluate risk in a contextual manner that allows you to prioritize critical issues and high-value assets. You can easily communicate with your third-party providers and manage an action plan resulting in a more informed, streamlined, and secure onboarding process. Our continuous monitoring and alerting utilizes your custom risk tiers and ensures that you are aware of the most critical changes that affect your business. Compliance with regulatory frameworks is easy to monitor based on RiskRecon's use of assessment evidence to inform compliance to industry standards.
Pillar 5 - Information sharing (Article 40)
- Develop arrangements to facilitate sharing cyber threat information amongst the financial sector and critical industries
How RiskRecon can help:
Our approach goes beyond continuous monitoring of your cybersecurity risk and exposure. Communication, collaboration, and information sharing are critical components to cyber resiliency. By using action plans, continuous monitoring, and compliance monitoring, all involved parties can work together to ensure a strong cybersecurity posture for all. We are committed to ensuring cyber resiliency and have developed large-scale industry partnerships that facilitate information sharing and seek to better the cyber security posture for all organizations. RiskRecon monitors threat intelligence feeds for your own organization and your third parties, allowing you to have greater visibility of the current threats to your assets, wherever they may reside.
What's Next?
As cybercriminals increase their rate of attacks, it is our responsibility to ensure we are not easy targets. Having a cybersecurity risk monitoring program for one's own enterprise and having one for third and fourth parties is more important than ever. New and evolving legislation such as DORA is inevitable as the ICT environment continues to advance. RiskRecon is here to help you protect your company and provide you with the tools and platform to comply with new and existing cybersecurity regulations.
RiskRecon enables you to monitor third-party (and their vendors') cyber risk based purely on their internet presence. Our unique risk-prioritized action plans rely on advanced models and analytics to prioritize asset value and issue severity. Only RiskRecon creates all its own security measurements, comprising more than 40 unique criteria, for the most accurate, deep, and broad picture of risk. RiskRecon finds risks that you may not have known were there. We not only identify those risks but also help your company understand, prioritize, and solve them. RiskRecon helps you manage risk through customized action plans, in-depth security ratings, and actionable insights. These features and platform capabilities align directly with the requirements put forth by industry standards and legislation such as DORA.
Just like the regulatory landscape, RiskRecon is constantly adapting and working to advance our suite of features and product offerings to better position our customers for success. We are in the process of finalizing our comprehensive Compliance Mapping to DORA, which will join a long list of other industry compliance mappings. We also want to hear from you; how can we help your company be ready for DORA compliance in the coming year?