Cybersecurity for financial service provider: DORA on the way

11. April, 2022

The European Union is working on framework conditions for the digitalisation of the economic area in order to ensure the secure and uniform handling of data and systems. The EU-DSGVO or the NIS guidelines for the protection of critical infrastructure are already established examples. DORA (Digital Operation Resilience Act) is now to bring guidelines to the ICT systems of financial service providers and certain cooperating companies.[1]

The aim is to ensure that all participants in the financial system have the necessary security measures in place to minimise cyber risks.

Whom does DORA affect?

The current draft of the directive covers all financial companies as well as certain supplying information service providers. In addition to banks, investment advisors, insurance intermediaries and payment service providers are also affected. Currently, only providers of hardware components and pure electronic communication services are excluded. However, a general exemption of micro-enterprises, as it exists in the Network and Information Security Act, is missing. This is one of the points of criticism of the Austrian Economic Chamber.[2]

The Austrian Financial Market Authority has already set a focus on cybersecurity for 2022. This will focus on challenges such as resilience and stability, a clean financial centre, sustainability, digitalisation, collective consumer protection and new business models.[3]

Are there any significant changes?

Yes and no. The basis for stable IT security are–as usual–up-to-date precautions according to the state of the art. Besides, it is essential to control the service providers. These measures can already mitigate many incidents. A stable foundation is also a prerequisite for robustly mapping services based on it. This includes a combination of technical and organisational preventive measures as well as emergency and recovery plans.

In addition, an active cyclical review and evidence of the effectiveness of these precautions is required–at least once a year. According to the draft, financial service provider will have to fully simulate various threat scenarios in order to test whether the current measures are implemented sufficiently and without errors. This scenario is quite ambitious.

When will DORA become binding?

An exact date from which the DORA guidelines are to be implemented is not yet known. Insiders assume, however, that this directive will come into effect in the course of 2023. Significant IT security precautions and ongoing optimisations are (hopefully) already implemented and the order of the day in all organisations.

Worth reading:

IBM Data Breach Report 2021: the four main findings

Sources:

Red Teams, Blue Teams, Purple Teaming

Living Off the Land attacks

MSSP of the Year 2024

SIEM

What is a SIEM?

Nozomi Guardian Air
HarfangLab Guard
MITRE ATT&CK Framework
v.l.n.r.: Joe Pichlmayr (CEO IKARUS) – Anouck Teiller (CSO HarfangLab) –Alexander van der Bellen (Bundespräsident Österreich) - Frédéric Joureau (Erster Botschaftsrat der französischen Botschaft in Wien) – Christian Fritz (COO IKARUS)
EDR
Cyber Kill Chain
Business Email Compromise
Prognosen für die zehn größten Cybersecurity-Bedrohungen für 2030
E-Mail Verschlüsselung
Schritt für Schritt zum Notfallplan für IT-Security-Incidents
Account Management
Bedrohung

WE ARE LOOKING FORWARD TO HEARING FROM YOU!

IKARUS Security Software GmbH Blechturmgasse 11
1050 Vienna

Phone: +43 1 58995-0
Sales Hotline:
+43 1 58995-500
sales@ikarus.at

SUPPORT HOTLINE

Support hotline:
+43 1 58995-400
support@ikarus.at

Support hours:
Mon – Thu: 8am – 5pm
Fri: 8am – 3pm
24/7 support by arrangement

Remote maintenance software:
AnyDesk Download