Banking and financial services organizations are a critical part of local and global infrastructure – nearly everyone relies on the financial industry’s operations in some way each day. And with the rapid digital transformation of the past few years, financial services and their customers are becoming heavily dependent on ICT (information and communications technology) and digital information. This makes them a prime target for threat actors looking to steal customer data, halt banking operations, and cause widespread disruption.
Financial entities must be able to withstand, respond, and recover from the impact of ICT incidents, with no impact to critical and important functions and minimal disruption for customers and the financial system.
The EU’s Digital Operations and Resilience Act (DORA) mandate aims to strengthen the financial sector’s resilience to ICT-related incidents and introduces very specific and prescriptive requirements that are homogenous across EU member states.
Illumio enables banking and financial services organizations operating in the EU to achieve DORA compliance through risk-based visibility and Zero Trust Segmentation.
What is DORA, and why is it important?
The banking sector supports the global economy, and without strong cybersecurity measures, breaches can quickly become catastrophic.
DORA requires banks operating in the EU to strengthen their cyber resilience so that they can withstand, respond to, and recover from breaches. This ensures that they can protect customer data, maintain operations despite inevitable breaches, and keep the impact of breaches minimal to preserve the global economy.
While DORA will enforce specific compliance and technical specifications for financial institutions, it’s broad goal is to help build cyber resilience in the industry. Organizations working towards better cyber resilience now will be ahead of the curve when specific requirements are available.
The new mandate entered into force on January 16, 2023 and is enforceable 24 months after entry. This means financial entities must be compliant with DORA by January 17, 2025.
Throughout 2024, European Supervisory Authorities (ESAs) will define and issue multiple regulatory and implementation technical standards, providing financial organizations with specifications and guidance on how to implement specific DORA requirements.
Firms based in the UK and other international territories may be subject to DORA if they operate in EU markets (for example, through locally incorporated group entities). ICT third-party service providers are also subject to the DORA requirements once they enter into contractual arrangements with firms covered by DORA.
While DORA doesn’t foresee the size or form of sanctions, EU member states are free to provide for sanctions and breaches of DORA in their national law.
DORA’S 5 core pillars: Building operational resilience
The directive is divided across 5 core pillars to give financial services organizations a comprehensive cyber resilience framework. Though DORA’s specific technical mandates are not yet available, they will map directly to these core pillars, offering organizations a way to start preparing for compliance now.
ICT risk management: Establish resilient ICT systems, continuously identify and protect against ICT risks, detect anomalous activities, implement comprehensive business continuity plans, and facilitate ongoing learning and improvement from external events and internal ICT incidents.
ICT-related incident response: Establish a comprehensive management process for monitoring, classifying, reporting, and sharing reports of ICT-related incidents in compliance with regulatory and supervisory requirements.
Digital operational resilience testing: The ICT risk management framework should undergo periodic testing to ensure preparedness, addressing weaknesses and gaps with counteractive measures, and the testing requirements should be proportionate to the entity's characteristics; including conducting Threat Led Penetration Testing (TLTP) for higher-risk scenarios.
ICT third-party risk: Get robust monitoring of risks associated with ICT third-party providers, achieved through harmonizing relationships, comprehensive contracts, and the implementation of a Union Oversight Framework to promote supervisory convergence.
Information sharing: Promote collaborative efforts among financial entities to improve digital operational resilience, increase awareness of ICT risks, reduce the spread of ICT threats, and support various defensive and mitigation strategies through the secure exchange of cyber threat information.
What can you do now to prepare for DORA?
Now is the time to start considering projects, budget requirements, and organization-wide initiatives in preparation for DORA’s full enforcement in January 2025. Security teams can take proactive steps to be ready to hit the ground running on building resilience and achieving DORA compliance.
1. Identify risk via network mapping
The mandate’s first pillar focuses on identifying risk which is fundamental to success with the other pillars. If you haven’t already, your organization’s security team should map application dependencies for the entire infrastructure. Some security solutions like Illumio even include this kind of mapping as part of their broader platform offerings.
Use the map to find your critical and non-critical processes and identify your third-party dependencies. You will likely find previously unknown risks that can immediately get addressed by your security team.
2. Boost detection capabilities
With a better understanding of the environment, you can lean into improving your detection capabilities. Solutions like Illumio can feed information into your Security Information Management System (SIM), helping your security team get data to speed up detection of threats.
3. Proactively prepare to contain breaches
DORA specifically calls out breach containment as key to resilience. Breach containment technologies like microsegmentation, also called Zero Trust Segmentation, help security teams separate the network into zones to control communication between workloads and devices to only allow what is necessary and wanted.
For example, you can use microsegmentation to restrict server-to-app communications, dev to prod, or IT to OT. This allows you to proactively isolate high-value assets or reactively contain compromised systems during an active attack to stop the spread of a breach.
Here are three ways Illumio can support your journey towards operational resilience and DORA compliance
1. Application dependency mapping
Use Illumio’s map to perform a gap analysis comparing your organization's current security initiatives and risk with DORA’s key pillars.
Get quick, easy-to-understand visibility into application and workload traffic and communication across the entire hybrid attack surface. For example, see which servers are talking to business-critical assets or which applications have open lines to the Internet, giving bad actors easy access to your organization's network.
This visibility allows your security team to prioritize their work towards DORA compliance. They can see where the organization is already compliant and where better security controls need to be in place.
2. Flexible, granular segmentation policy
After getting visibility into your network, you're ready to prioritize setting informed security policy that increases your cyber resilience and compliance.
Illumio allows you to automatically set flexible, granular segmentation policies that control communication between workloads and devices. This helps achieve least-privilege access, allowing access only to what is necessary and wanted. For example, you can restrict communications for server-to-app, dev to prod, or IT to OT.
3. Proactively isolate assets or reactively contain breach spread
Segmenting your network with Illumio delivers both proactive and reactive security against inevitable breaches, ensuring that breaches don’t cause catastrophic disruption to your organization.
With Illumio, you can proactively isolate high-value assets from the rest of the system so that breaches cannot spread to these assets, stop operations, and cause damage.
During an active attack, you can reactively stop the spread of a breach and contain it to only a small part of the network in minutes. In fact, a Bishop Fox cyberattack emulation found that Illumio can stop the spread of a breach in less than 10 minutes. This is four times faster than endpoint detection and response (EDR) solutions alone.
Cyber Resilience: The Banking Sector’s Top Security Priority
In this December 2021 speech, Bo Li, Deputy Managing Director of the International Monetary Fund (IMF), reinforced how digital technology permeates all aspects of society, increasing our dependency on interconnectivity and reliance on the networks that support it.