What is DORA and how will it help Cybercrime in Financial Services?
By David Gaskin, IDA Ireland
The digital age has democratized access to information, services, and platforms, enriching people’s lives in surprising and profound ways. It also introduces novel risks that businesses and consumers can’t afford to ignore.
This is especially true for the financial sector. The development of digital banking services, the rise of novel fintech platforms, and broad internet accessibility – including nearly seven billion global smartphone owners – have made online banking a ubiquitous consumer service and a universal target for threat actors.
In 2022, the financial services sector alone logged more than 550 data breaches, producing billions of stolen or compromised records that help facilitate everything from ransomware attacks to phishing scams.
With the average incident costing millions to repair and taking 277 days to identify, it’s clear that we need a remedy.
In an era of rampant cyber threats, Europe is boldly taking a step forward to protect its financial institutions and consumers from fraud and cybercrime. The Digital Operational Resilience Act (DORA) just went into effect January this year and is the latest attempt to combat cybercrime, implementing regulatory oversight and monetary consequences for financial service companies that can’t or won’t protect customer data. So what is DORA?
Understanding DORA
DORA is a positive step that aims to ensure financial services companies have the safeguards to mitigate cyber-attacks or other technology-related attacks that could impact their systems. Specifically, DORA addresses Information Communication Technology (ICT) that all financial services providers rely on to conduct business online.
This legislation puts an onus on institutions, such as banks, insurance companies, asset management companies, investment management firms, and the cloud or data services companies that support their operations, to document and adhere to specific rules and requirements.
Traditionally, these entities navigated operational risks by assigning capital to them by investing in potential solutions or implementing safeguards to protect consumers. However, these efforts didn’t fully address every facet of operational resilience. Now, institutions must follow a specific framework for safeguarding and managing ICT incidents, including rules for:
- Governance and control
- Risk management
- Incident management, classification, and reporting
- Operational resilience testing
- Information sharing
- ICT third-party risk monitoring.
DORA also implements consumer protections, ensuring adequate safeguards are in place in case of digital service disruptions. DORA is also about operational resilience in general such as IT outages due to issues due to data centre server failures etc.
When coupled with the accompanying Markets in Crypto-Assets (MiCA) regulation, a legislative framework defining the regulatory treatment of crypto assets that are not covered by existing financial services laws, it’s clear that Europe is committed to designing and implementing regulations that protect consumers and provide clear operational rules for institutions.
What Companies Can Expect Now
With the timeline for compliance set for the end of 2024 and no later than January 17, 2025, DORA needs to be attended to in the short term because the penalties for non-compliance are substantial, designed to ensure that all companies take this legislation seriously. Firms that fail to comply may face fines of up to 2 percent of their worldwide income.
As such, compliance with DORA is not just a legal obligation but also a financial necessity. By enforcing these new measures, DORA will benefit not just companies but most importantly consumers – it is expected to enhance the cyber resilience of the financial sector and ultimately create a safer environment for consumers and businesses alike.
DORA also has a significant upside for financial service providers by unifying legislation from Europe’s 27 countries into a single regulatory framework, streamlining implementation, and reducing overall compliance costs.
The law’s impact could reach far beyond the EU. When regulators implemented the General Data Protection Regulation (GDPR) in 2016, which delivered ground-breaking guidance and consumers’ data protection and privacy rights, the law re-oriented the global conversation around internet privacy, inspiring other countries to develop their approaches to online privacy.
Four years later, more than 100 countries drafted and implemented similar legislation, proving that EU legislation can be a harbinger for action worldwide.
Since cybercrime is a borderless offense impacting companies in every sector on every continent, DORA offers a functional framework for other countries looking to harden their financial services industries against nefarious threat actors.
The Time is Now
As we surge forward in the digital era of unprecedented technological advancements, regulations like DORA and MiCA become increasingly essential. They provide a clear pathway for institutions to follow and offer comprehensive consumer protections that often go overlooked as innovation accelerates.
For companies impacted by the law, its implementation is both a challenge and an opportunity. They must be prepared for this legislation as it will affect their risk management and compliance mechanisms.
Meanwhile, It’s an opportunity for companies to evolve their risk management strategies and compliance mechanisms, fostering a culture of security and resilience that ultimately reduces the costs associated with cyber-attacks while introducing new business efficiencies.
The reduction in potential cyber-attack costs, the increased operational efficiencies, and the overall enhancement of consumer trust are outcomes worth striving for. We can’t wait to take action. The time is now – let’s get to work improving the financial services security for everyone.
David Gaskin bio
David Gaskin is Vice President and Head of Financial Services, Western USA, for IDA Ireland, the Irish Government’s economic development agency responsible for attracting foreign direct investment to Ireland. Based in Irvine, California, David is responsible for marketing and promoting Ireland as a location for financial services activities. Prior to his current role, David was Head of the Global Banking & Payments portfolio for IDA Ireland based in their Dublin office. You can contact David on david.gaskin@ida.ie or through www.idaireland.com
