Strict latest European Union rules requiring banks to strengthen their cybersecurity systems officially come into force on Friday – but most of the bloc's financial services firms will not be yet fully compliant.
Those of the EU Digital Operational Stability Lawor DORA, requires financial services corporations and their technology suppliers to strengthen their IT systems to make sure the industry is resilient within the event of a cyberattack or other type of disruption. It got here into force on January seventeenth.
The penalties for violating the brand new laws could be significant. Financial services corporations that violate the brand new rules could face fines of as much as 2% of annual global turnover. Individual managers is also held chargeable for violations and face sanctions of up to at least one million euros.
According to Harvey Jang, chief privacy officer and deputy general counsel at IT giant Cisco, compliance with the brand new rules by financial services corporations has been mixed to date.
“I think we saw a mixed picture,” Jang said in an interview with CNBC. “Of course, the companies in the more mature stage have been busy with this for at least a year, if not longer.”
“We're really trying to build this compliance program, but it's so complex. I think that's the challenge. We've also seen this with GDPR and other far-reaching laws that are subject to interpretation – what does it actually mean to comply? It means different things to different people,” he said.
This lack of a common understanding of what counts as robust compliance with DORA has, in turn, led many institutions to raise security standards to the point where they actually exceed the “baseline” of what is expected of most companies, added Jang added.
Are financial institutions ready?
Under DORA, financial firms must conduct rigorous IT risk and incident management, classification and reporting, operational resilience testing, information sharing on cyber threats and vulnerabilities, and measures to address third-party risks.
Companies must also conduct “concentration risk” assessments related to outsourcing critical or vital operational functions to external corporations.
A Census-wide survey of 200 UK Chief Information Security Officers commissioned by Orange Cyberdefensethe cybersecurity department of the French telecommunications company Orangeshowed that 43% of financial institutions in the UK are not yet fully compliant with DORA.
This is worrying because even though the UK is now outside the European Union, DORA applies to all financial firms operating within EU jurisdiction – even if they are based outside the Union.
“While it is clear that DORA has no legal reach in the UK, companies based here that operate or provide services to businesses in the EU are subject to the regulation,” Richard Lindsay, senior advisor at Orange Cyberdefense, told CNBC .
He added that the biggest challenge for many financial institutions in achieving DORA compliance is managing their critical third-party IT vendors.
“Financial institutions operate in a multi-layered and extremely complex digital ecosystem,” said Lindsay. “To track and ensure that all parts of this system are demonstrably compliant with the relevant elements of DORA, new thinking, solutions and resources are required.”
Due to DORA's strict requirements, banks also exercise a higher level of scrutiny in their contract negotiations with technology suppliers, Jang said.
Cisco's chief privacy officer told CNBC that he believes there is a consensus on the principles and spirit of the law. However, he added: “All legislation is a product of compromises and therefore becomes more challenging as regulation increases.”
“We agree with the principles, but all legislation is a product of compromises and the stricter it becomes, the more demanding it becomes.”
But despite the challenges, experts generally believe it won't be long before banks and other financial institutions come into compliance.
“Banks in Europe are already compliant with key regulations covering most of the areas covered by DORA,” Fabio Colombo, EMEA security lead for financial services at Accenture, told CNBC.
“As a result, financial services institutions already have mature governance and compliance capabilities, with incident reporting processes in place and robust ICT risk frameworks.”
Risks for IT suppliers
IT providers can also be fined under DORA. The rules threaten levies of up to 1% of average global daily sales for a period of up to six months.
“These sanctions are necessary,” Brian Fox, chief technology officer of software supply chain management company Sonatype, told CNBC. “They are a powerful motivator and push leaders to take compliance and operational resilience more seriously than ever.”
Orange Cyberdefense's Lindsay said there was a longer-term risk of financial services firms moving their critical security functions and services in-house.
“Advances in technology may allow financial institutions to bring services back in-house, simplifying this aspect and reducing the risk of non-compliance,” he said.
“In any case, existing contracts need to be updated to ensure compliance is contractually mandated and monitored between company and provider,” Lindsay added.
There are now several other cybersecurity-focused regulations that companies must contend with, such as the Network and Information Security Directive 2, or NIS 2, and the Cyber Resilient Act. The former came into force in October.
“As with any new regulation, there will certainly be a transition period as companies adapt to new requirements and standards,” Sonatype’s Fox told CNBC. “This is the beginning of a long journey to improve software security and resilience.”
image credit : www.cnbc.com