Contactez-nous Suivez-nous sur Twitter En francais English Language

Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN



Navigating Cyber Risk: Oversight Strategies for Financial Institutions under Upcoming DORA Regulation

May 2024 by Nojus Bendoraitis, Co-Founder & COO at CyberUpgrade

The EU’s Digital Operational Resilience Act (DORA), which comes into force in January 2025, is designed to ensure that all participants in the EU financial system have robust safeguards against digital disruptions. Before DORA, regulations on digital operational resilience varied across EU states, making it a challenge for financial institutions operating in multiple countries to comply with differing requirements. By providing a unified set of standards that all entities in the EU will have to meet, DORA aims to strengthen the overall resilience of the financial system, especially in light of increasing cyber threats.

To comply with new provisions, financial entities face the challenge of reassessing, and potentially overhauling, their arrangements with third-party ICT providers. However, certain advanced tools and strategies, including AI-based automation, can help to address these challenges and streamline the integration of DORA.

Frameworks for effective risk management
According to Nojus Bendoraitis, Co-Founder & COO at CyberUpgrade, a provider of AI-driven cybersecurity solutions, to achieve compliance and ensure resilience against evolving cyber threats, financial entities will need to establish a more structured approach to assessing, monitoring, and controlling third-party risks.

“Effective risk management frameworks will need to include detailed risk assessments and due diligence processes that cover all stages of the lifecycle of ICT services––from selection and contracting through to ongoing monitoring and eventual termination.”

Before DORA, practices for managing ICT third-party risks varied widely across entities and countries within the EU, Bendoraitis notes. “Companies often relied on national guidelines without a uniform standard, which led to varied levels of rigor in risk management practices. Additionally, risk management was often reactive rather than proactive, with financial entities addressing risks after they had become issues, rather than anticipating and mitigating them upfront.”

DORA aims to redress these shortcomings by requiring comprehensive assessments of ICT service providers’ capabilities, including their compliance with relevant regulations and cyber security measures. “Under DORA, all contracts with ICT service providers will need to include clear terms regarding compliance, audit rights, data protection, and termination procedures to safeguard the financial entity’s interests.”
Companies will also be required to assess service providers’ performance and compliance with the contract and regulatory standards on an ongoing basis, with mandates for clear governance structures.

Tools and strategies for compliance
Underlining the urgency of meeting DORA’s oversight requirements is the fact that financial institutions face serious consequences for failing to comply, with penalties ranging from significant fines, potentially amounting to 1% of daily global turnover, to administrative measures, depending on the infraction’s severity.
Bendoraitis suggests that financial institutions can bolster their compliance standing by aligning their strategies with existing standards like ISO 27001. "ISO 27001 can help a company meet DORA requirements, despite it being an optional certification — it can work as a meaningful ‘seal of approval’. In other words, companies can leverage an existing, trusted, set of policies and controls to manage information security risks systematically. It’s no silver bullet, of course," advises Bendoraitis.

AI-based tool sets can also prove helpful in this process. "Automated solutions like continuous monitoring of third-party providers and automatization of vendor due diligence processes can ensure that only the exact amount of effort necessary is expended in overseeing a given vendor, depending on their tier, reducing potential waste involved in fully manual processes.”
Bendoraitis notes, however, that AI-based tools alone are not a substitute for the critical analysis and decision-making capabilities of human cybersecurity experts. “Ultimately, it will be a combination of advanced technology and skilled professionals that fortify financial institutions’ operational resilience going forward.”

See previous articles


See next articles

Your podcast Here

New, you can have your Podcast here. Contact us for more information ask:
Marc Brami
Phone: +33 1 40 92 05 55

All new podcasts