A logo with accompanying text "Listen on Spotify"A logo with accompanying text "Listen on Apple Podcasts"
Navigating DORA: Compliance Through Cyber Resilience
Season Two
· Episode
9

Navigating DORA: Compliance Through Cyber Resilience

In this episode, host Raghu Nandakumara sits down with Tristan Morgan, Managing Director Cyber Security at BT Group, and Mark Hendry, Digital Services Partner at Evelyn Partners to discuss DORA regulations and compliance in the financial services sector. They discuss the interplay between regulatory standards like NIS2 and DORA, the importance of proportionality and operational resilience, and the broader adoption of principles such as Zero Trust.

Transcript

01:20 Raghu Nandakumara

Hi everyone. Welcome to another episode of The Segment. It gives me great pleasure to welcome Tristen Morgan, managing director of cybersecurity at BT Group, and Mark Hendry, digital services partner at Evelyn Partners. Tris, Mark, welcome to The Segment.  

 

01:34 Mark Hendry

Thanks, great to be here.  

01:35 Tristan Morgan

Thanks for having us.  

01:38 Raghu Nandakumara

Well, the pleasure is all mine, and I get to converse with two people rather than the usual one. So it's double the fun, double the trouble. We're talking about compliance, particularly as it applies to the financial services industry, and what that means for cyber. A bit of background about both of you. So Tris, why don't you tell us about yourself first?  

 

01:56 Tristan Morgan

Yeah, thanks. It's great to be here, and you know, I have the pleasure of helping to protect all of BT Group's customers, particularly in the business domain. So I look at the products and services that we want to bring to market, how we serve them, and really, ultimately, in line with today, how we ensure that they stay safe. You know, you can defend against as many breaches as possible but also stay compliant. So I've done that for a number of years, and prior to that, a strong background working in the government sector, both in the UK and internationally.  

 

02:29 Raghu Nandakumara

Awesome. Thanks, Tris. Mark.  

 

02:33 Mark Hendry

Nice one, thanks for having me. So yeah. Mark Hendry, I'm a digital services partner at Evelyn Partners, which is a UK- and Ireland-focused business advisory firm. I spent a lot of my time before joining this firm in a variety of companies, technology companies, Big Four consultants, and law firms. From about 2014 onwards, a lot of my practice was either lawyer instructed or working as part of a legal team, as a technical and operational expert interpreting regulatory requirements, getting aligned with or even challenging regulations and regulatory enforcement. So that includes things like big digital regulatory change programs in the years of the GDPR and working with clients who had been impacted by data breaches of cybersecurity incidents and needed to investigate, remediate, and deal with regulatory scrutiny and enforcement. So, it's a fun time to be alive in the world of digital regulations — and thanks for having us on this podcast to talk about them.  

 

03:43 Raghu Nandakumara

Well, as I said, right, the pleasure is ours. So Tris, Mark, thank you very much. So actually, Mark, the last bit of your intro, I think, sparks really where I think we'll go with the start of this conversation. And it's getting both of your perspectives on what you feel are the biggest cyber threats that are impacting not just in general but also specifically the financial services sector. So Tris your thoughts.  

04:13 Tristan Morgan  

I mean, the threats are numerous. And I think the thing to remember about security is that it's not one type of threat, it's many. And even those many continue to evolve and change based upon such a wide range of factors. It could be economic challenges, geopolitical challenges, it could be other ideologies. And so for many of our customers they're faced with this ever-changing kind of onslaught from a variety of those. What we've seen, though extensively, is it used to be the case that a lot of the attacks were largely focused on larger multinational organizations, organizations with critical infrastructure and critical data. And increasingly, that isn't the case. They're still absolutely targeted, but small/medium businesses now are really being affected by this. And so when you look at it from a threat point of view, it's everywhere now, affecting businesses of all sizes, all shapes. And I think that represents some of the change, you know, that we have seen.  

 

05:17 Raghu Nandakumara

Yeah, absolutely right. And I think that the data absolutely shows that the widening of the impact, from just what inverted commas perceived to be the most valuable targets, to now something that is that is impacting organizations of every size in every sector. Like Mark, what are your perspectives to carry on from what Tris was saying?

 

05:40 Mark Hendry

Yeah, I think, take the historic point: big company, lots of assets, big target, rich picking. Smaller companies being targeted. Why? Many reasons. But the payback on cybercrime is very well understood in criminal communities. Relatively low risk. It's not going into a bank with a shotgun, and the rewards are huge. Also, take the digital supply chain. So, actually, these smaller companies are potentially being targeted because they're linked with big companies. So you can target them, and then you can move laterally across networks into connected organizations and have knock-on and multiple impacts. So that's all about kind of the way that the world has changed and digitized over time. Interconnectedness: We talked a couple of years ago about the year of the supply chain attack, now that that hasn't stopped. And the year of ransomware; not stopped, just evolved, just changed. Lower barriers to entry for criminal organizations and criminal actors passing down their methods, tools, ransomware-as-a-service, playbooks available, criminal organization customer service outfits popping up. It's very interesting and yeah, threat modalities change often. I suppose threat actor motivations largely stay static, and it depends on who they are, whether they're a nation-state or an organized crime outfit or some lower-level crime group or a have a goer. They're all after something, and the ways that they can get at it just change and evolve over time. So, the way that we need to defend defenders changes over time, too.  

 

07:30 Tristan Morgan

And if you don't mind, just jump in there. You think of many of these companies. You think of many organizations that are trying to harm businesses. They're actually run like businesses, because they are businesses. So, when we look at technology adoption and digital transformation, they're looking at the technologies to understand how can they be exploited, how can we use them to do net bad. And so you have two similar but very different business models.  

 

07:56 Raghu Nandakumara

Absolutely. So, there is definitely that business model of like profitability, and I guess the economics of ransomware, and ransomware as a business, or cyberattacks as a business. And you both touched on various things about, motivation, about it very much not being just the year of ransomware, but I'd say the years of ransomware, right in plural. And really, it's the modality of attacks, and while the tactics themselves, the high-level tactics, don't really change from attack to attack, from attacker to attacker, some of their techniques and procedures do evolve. But let's like unpack those bit by bit, and let's look at motivation and one of the things and looking at the various like reports over the last couple of years, one thing that is coming to light is some of the shift towards more attacks that are focused on compromising availability productivity, beyond just the the extortion approach. The profitability approach. How are you seeing that? And are you seeing this as an increasing concern amongst organizations? How do we ensure that we continue to be productive because we know that that attack is around the corner?

 

09:15 Mark Hendry

You're right. So the resiliency term, what you're talking about is, I'd say, ever presence in front of mind because even when there is a breach underway, it's not a question I think of the business not being able to operate. It's well, how can we continue to operate, even if there are things that are ongoing within our enterprise? And so, if you look at the digital, connected world, most businesses have all set from sizes intercept on very few points in the new hyper-scaler SaaS model that we have. And so, the focus is on IT resiliency. In case there's a non-cyber-related outage, and indeed, a cyber-related outage is now paramount because you make a valid point there, which is it isn't all about ransomware and being demanding payment to have your data released to you again or be well. Actually, it's an awful lot more about, well, if you can take a website down so you can't sell any new orders, or you can prevent, you know, all of your 50,000 employees coming in and doing anything that itself also costs a huge amount of money to that business.  

 

10:21 Raghu Nandakumara

And yeah, and I think tied to that. I was looking at one of the more recent data breach reports that spoke about how, when you look at the average cost of a data breach, about 33% a third of it is attributed to lost business. And that percentage as an overall total cost is increasing which previously that, the significant impact, was either like paying the ransom or recovery. But that impact to the business itself, productivity, is just going up day by day. So, Mark, like in your conversations with your customers, what is the nature of that conversation when it comes to operational resilience and cyber resilience?

 

11:02 Mark Hendry

Depends on who you're talking to and what matters to them, and what sector they're in, and so often it's a case of telling a story. So for instance, one of the ransomware incidents that I worked on a while ago, it was a while ago, but it's a pretty good story. They suffered a massive ransomware, a prolific ransomware attack that basically stopped them from operating. And they were losing millions per day. They were a fast-moving consumer goods organization, so they couldn't move goods in and out their warehouse, couldn't print labels, couldn't tell gig economy workers when to come to work and where to come to work, couldn't pay suppliers, couldn't pay staff, lots of day-to-day impact stuff. And they were losing millions off the top line, but absolutely philosophically opposed to paying a criminal actor to recover their systems and their data. And so if I'm talking to an organization that produces something that has factory lines and has people coming in and out on a gig basis, zero-hour contract workers, that's a good story to tell and sharpen their minds to what the type of impact could look and feel like, and how they're going to decision-make when they're faced with a crisis like that. Whereas a financial services organization is very different in terms of how it operates and how it generates top-line revenue. And therefore, how they're likely to need to decision-make, how they're even going to coordinate themselves in a communications outage, how they plan for those things, and then how they make those philosophical choices, as well as the practical, operational, and technical choices. And, of course, different industries have different regulatory compliance obligations, burdens, oversight, supervision. And so if you're in financial services, if you're talking about the overall cost of a disruptive ransomware attack or other digitally oriented outage, then the likelihood is that a fair chunk of that cost is going to come from a monetary penalty notice from your supervisor, your supervisory authority. Whereas if you are, you know, for now, a food producing organization, you're not really expecting a big fine for failures to keep your systems resilient. Might get one for personal data breach as well, that's a slightly different matter. It's the nature of the supervising, and the enforcement can vary drastically based on your sector, and that can really drastically change your outlook for overall costs of that type of disruption.  

 

13:47 Raghu Nandakumara

Yeah, absolutely. You're going towards an area that we want to explore about how compliance and regulated industries, or how compliant and highly regulated industries drives better standards, and in this case, better security and better resilience. So with that in mind, what do you see as the shift? Because I've kind of seen personal experience in previous careers. The checklist from a compliance perspective, it was very much around, okay, go through this list, check that you do all of these things and then provide, essentially, provide your evidence. But it often lacked context as the impact of those controls, so they're static rather than actually showing a meaningful improvement in security posture. What is your perspective on that? Coming on to DORA in a second, there are some interesting changes that DORA is driving with that respect. But, like, what's your perspective on a historical look back at compliance and the effectiveness of those requirements?

 

14:48 Tristan Morgan

I think in many organizations, compliance was often seen as something which was challenging, but also question marks around the why. And you make a valid point where often it was sometimes known as a tick box exercise. And if you look at, if you then look forward at some of the recent developments, like we have the cyber assessment framework developed by the UK NCSC, you know, it's not a tick box. It's really about a rating on a scale. And so what you can do on an organizational basis is say, some businesses, these things matter more than other things. And so you can dial up and dial down the areas that you need to be compliant, and also understand to what degree do you need to be compliant against the scale? I think that's really important because a good example would be operational playbooks in the event of a breach. Well, what kind of scenarios are you trying to simulate? How far would you look for a breach to pervade throughout a business? It's all these sorts of things which you need to do judgment calls on the degree to which you actually need to have those in place based upon risk to customers and a wider supply chain.

15:55 Raghu Nandakumara  

Yeah, absolutely right. I think that that comes back to the question of proportionality. What is relevant to you based on what is important to your business. So, I think Mark, what's your perspective on it in terms of what you've been doing given your background, what you've done with customers historically, and how that's changed over time?

16:15 Mark Hendry  

I suppose, well, look, the regulatory environment in the digital space — let's call it that digital and data space — has changed and is changing massively. So in my years of practice, I used to advise clients on the Data Protection Act 1998 as it was, and then we had the GDPR and UK GDPR and the UK Data Protection Act. Also, the way that we've practiced that, or the way that customers and companies have needed help with that, has changed over time. I think maybe that's a bit about my own standing as a practitioner, and maybe that's a bit about the sophistication of the digital ecosystem, the world, and I suppose the compliance of the regulatory or the standards environment in which we all live now. So, for instance, back in the day, I used to go around call centers and data warehouses and made sure that the controls were present or absent and operating to a certain extent, and do kind of agreed-upon procedures, audits, and what have you. I'm sure some of that stuff still goes on. But if you look at the text of standards, you know, NIST cybersecurity framework, or cyber assessment framework for MCSC, as Tris just said, or actually into NIS2 and DORA. So NIS2 is a good example. It says something like taking into account the state of the art that's not static at all. It changes all the time. And so there's a heavy amount of interpretation. And why does it say that? Because the state of the art for protect, detect, and respond has to change as the state of the art for attack and harm causation changes as well. And these regulations need to stand the test of 20-30 years, and they need to evolve through supporting guidance. But it points out, you know, NIS2, which has a relationship with DORA. NIS2 in its definitions, it has a definition for standard. What we mean by standard is if this regulation refers to standard, it's referring to international standards, it's referring to European standards, it's referring to technical standards. And so they immediately signpost you to the other places that move faster than the regulations themselves do. And therefore, the way we advise clients, the way that clients have to consider these things and act, it all changes very, very frequently.  

 

18:58 Raghu Nandakumara

Yeah, I think that you expressed that beautifully. And it's kind of like, Tris, because keeping that in mind, it feels like what we're seeing now is, and you mentioned NIS2, but let me introduce DORA in here, that it talks about how it's leveraged ISO 27001 as an inspiration on which to build. Because there is so much in there that is already kind of relevant, rather than trying to reinvent the wheel. So I think tying in what Mark was saying is that a closer alignment between regulations and secure frameworks and standards that organizations are adopting anyway to avoid duplication of effort. Is that consistent with what you're observing?

 

19:46 Tristan Morgan

Oh, 100%, and actually, this is, you know, this is really helping business. You think of some of these big global standards like ISO, which many businesses adopt across a number of domains. If you were to build something completely separate and ask all businesses to comply with something that was different, not only would there be significant cost, I think actually you get much greater resistance, whereas these regulations, like DORA, that actually builds upon industry recognized best practice that many businesses are already adopting to a degree, and actually is sensible, but it also makes the barrier to compliance less. I mean, there are still lots of things to do to get there, but actually, it makes it less. But it also means that there are greater communities available for companies to speak to, to help understand what they need to do, and the areas also to not worry about. I see for a number of sectors, while there are challenges in doing this, there is also ease of satisfaction that this is something which has been used universally, and businesses do not have to comply with different local legislations and different countries because many businesses that we serve and you will serve work across country boundaries.  

 

20:57 Raghu Nandakumara

Yeah, absolutely. And actually, that's an interesting point to just talk about a bit more because NIS2, in its nature, with the EU defining NIS2 as a directive and then essentially asking member countries to adopt that into the relevant local regulations. But compared to that with the case of DORA, the EU has said, "Actually, we're going to take responsibility for getting this applied across the board." Why is there such a difference in approach between the NIS2, which is broader and covers more industries, and DORA, which is kind of becoming a regulation EU-wide right? Why is there a difference in approach?  

 

21:46 Tristan Morgan

I would say it recognizes and takes it a level up, and actually looks at this as the European economy. And so recognizing the impact that can happen, not just at an individual country level, but at a broader, wider geographical level, unless you look at some of these fundamental issues around resiliency, cybersecurity, because without that, if you have different interpretations of it, then you haven't got harmonization, and you're not moving all in the same direction. There's also another thing, of course, in security, very much looking at it as a team sport, you've got to share information between organizations to be better together. And I think again, where you look at these continent-wide and European-wide regulations, they're important because that's one of the cornerstones of them.  

22:32 Raghu Nandakumara  

And, yeah, I think that's an important point. And I think also the financial services industry, both in the EU and globally, is far more interconnected across borders than any of the other like critical industries that NIS2 covers. So Mark, what are your thoughts?  

 

22:50 Mark Hendry

Yeah, I completely agree with what you've said. I think there's a bit about heritage. NIS2 is the second one. It comes from NIS. We had and have UK NIS, which for those who don't know the original NIS network and information systems, whatever it is, regulation 2018 was really focused on operators of essential services. So that's critical national infrastructure, utilities, transport, things like that, as well as what they called RDSPs, relevant digital service providers. And that was all transposed international law. It was around the same time as the GDPR. GDPR got all the attention and actually, subsequently, pretty much all of the enforcement and supervision. And NIS2 is the second bite of the cherry because it recognizes that a wider scope of industries should be considered to be critical or important on a national and international, economic and social basis, societal basis. But they're not coordinated really, there's no coordination between, I don't know, the French Postal Service and the UK's, I don't know, hydrogen infrastructure economy. So it'd be really difficult to create something that is fit for all of those in-scope industries for NIS2. And harmonious whereas, like you've said, the European financial services, economy and society and supervisory regime has been coordinated for quite a long time, and that's why DORA, a harmonized and blanket act, stands a much better chance. You know, time will be the proof, but it stands a much better chance of achieving what it needs to achieve or the principles that have been set out to be achieved using that harmonized instrument.  

 

24:45 Raghu Nandakumara

So, with that all being said, and I think we're familiar with the nature of ICT risk management regulations in the financial services industry historically, what would you say was the trigger or the tipping point for the EU to reframe a lot of this in the form of the and really make operational resiliency the prime objective? What was the tipping point, Mark?  

 

25:14 Mark Hendry

I talk about this as probably the biggest resilience intervention in financial services since after the 2008 crash. After the 2008 crash, it was about financial resiliency, cash in the system. A lot has changed since 2008, and we talked about it earlier, about how interconnected the economy is and all of its players and how much society relies on digital infrastructure to an extent that I think has been seen coming, but has potentially been a little bit surprising in just how domino the effects can be when some kind of outage happens. I think there's a huge amount of apprehension and nervousness across Europe about what happens if that nth-degree player that nobody really perceives because they're buried layers deep in the digital supply chain, no one's really done due diligence on them, but we all rely on them. We just don't know it yet. And so, you see that come out in things like the identification objectives in DORA, where you need to really map out your supply chain in a thorough and deep fashion, see who's connected to who, and who's connected to them, and who they all rely upon. And there was a really good example recently whereby, in the midst of all these DORA processes and programs to identify the supply chain and to determine as a financial services entity, subject to DORA, who we consider to be a critical or an important ICT provider. As an ICT provider that will be in with a lot of these financial services institutions that didn't suffer a cyberattack, but had its widgets and its dongles plugged in and deployed across lots of servers and lots of laptops. And something that they did caused a big, disruptive operational outage. And that was not to do with a cyberattack, and that's why this has elements of ICT risk management, which you and I would see as cyber objectives, cyber mandates, cyber requirements. But it's bigger than that, it's digital operational resilience because that wasn't a cyberattack, and yeah, it had a similar impact to a disruptive ransomware attack for a short amount of time. And that's why this has come about. It's about intervening on the basis of how the world works now.  

 

27:40 Raghu Nandakumara

Yeah, absolutely. I'll come back to some things that you said. Tris, anything to add?

 

27:44 Tristan Morgan

I think they could see it coming as well. And if you just look at the, and Mark related to it, the highly, not only interconnected, but the just in time economy that we have in critical sectors, you start to realize how at any moment, at any given point in that, how it's not just a small, localized impact can have much greater ramifications. And so, I think there's a greater foresight that has gone into planning for this, but also, and for the companies I work with, also ask organizations for greater guidance and standardization on some of these things, so that certain businesses or sectors don't have to bear all of the cost of it.  

 

28:28 Raghu Nandakumara

There are a few things in there. Let's think about the impact because both of you have mentioned it. And I can think of a recent example, which was a cyberattack related to the ICBC ransomware attack at the tail end of the tail end of 2023, which then impacted their key component of US securities, the US securities market. And then there was a knock-on effect to be able to clear trades, etc., amongst all of their counterparties. And that's a great example of what, like DORA, and the controls it's bringing in, it's literally looking to reduce the impact of but the third-party thing, I think, is really interesting. And the first question I'll pose to both of you is, how do you identify a critical third-party service provider versus a noncritical third-party service product? Because that, that kind of, that that chain, that turtles all the way down, because you could keep digging and say, "Well, that's critical to my process, and that one is, and that one is." I mean, everything is critical. So how do you differentiate?  

29:35 Mark Hendry

I mean, there's a point in that isn't there, which is, it's a matter of interpretation, and a matter, therefore, of depth and thoroughness, and there's a risk balance there to be had between, it's the proportionality principle. All of these regulations contain a proportionality principle, which is, say, something to do with bearing in mind the risk to X, Y, and Z, and so in GDPR is about the risk of harm to natural persons, you and me if our data gets hacked or stolen. And that's about if it's medical data and somebody that we don't want to get hold of it, or it's financial data, what's the risk of harm? And so, you put in place proportionate safeguards to deal with that. And then, when it comes to supply chain mapping, if you like, what's critical and important? Well, just point out, I'm not a lawyer, but look into what the definitions are and interpret those for your organization. And there are really two. I was giving some advice about this the other day. There are really two ways to consider this, at least in the client scenario that I was dealing with, which is that they're critical and important if they suffer an outage or disappear, and that stops you from being able to complete the things that are important in the financial services sector and economy. And it's things like completing transactions or placing trades or whatever else it might be, you know, people getting cash out of machines. The second part of it which is about what's important to you. So that's what's important to the economy and the people in it and the other players that act. And then there's actually, is it critical or important to you? And that's more about can you operate, and can you fulfill the obligations that you hold to yourself, your people, and others who rely upon you and expect you to do a thing. So, for instance, in this conversation with the client, it was, "Ah, what about our risk management?” “We use X, Y, and Z, cloud portal or platform to fulfill that, and it's applied by X, Y, and Z." So, are they critically important? Well, actually, if they go down for more than a week at a particular point in time, you fail to fulfill your regulatory obligation. So yeah, they're one of the two. They're critically important. You decide who can work through that, but that's how I go about this.  

 

31:58 Raghu Nandakumara

So Tris just to counter this, I think the proportionality part of the property of these regulations, and in DORA in particular, I think makes them highly dynamic, highly flexible, very customizable to every organization. But does that not also prove a challenge when it comes to identifying, determining, “Okay, this is what we're going to do,” but then also to be able to prove that that you've made the right choices. Does this not provide a challenge, which then means that organizations typically default to doing as much as possible? How do you decide, and how do you prove that you've made the right decisions?

 

32:45 Tristan Morgan

So I think you make a valid point there, which is, you actually need to evidence your decision making and getting to a position around your point, around proportionality is key. So how have you got to a decision and evidence? And to Mark's point, actually seeking counsel as well, I would suggest, in terms how you've got there, because obviously what you don't want to do is to make assumptions and then that to be proved invalid down the line. It's also worth noting that any decisions that you make today need regular review to understand, are they too strict? Are they not strict enough in terms of what we've implemented? But I'd just like to come back a second ago and say that this isn't a question around your binary, you know, one or zero. Actually, this is around a key scale. And when you look at those critical parties that you need, it's also important to think about the stack ranking of different platform systems and functions. And something I've often talked to customers about is they often think, well, you know, if we couldn't write a purchase order, would that really matter? We said, well, actually, if you needed that to get in some incident response specialists, it would be a problem. And so there's a number of things you've got to work through in quite a detailed way as part of your simulation and thinking when determining to what level and to what degree do you want to be compliant?  

 

34:03 Raghu Nandakumara

That's a really great point. It's like, what is that smaller set of key business processes that you need to ensure are kept running in order to stay in business, in operating. I feel that that underpins everything else. So is that where the conversation usually starts? Is that what is that minimum set for you as a company?  

34:28 Tristan Morgan

Yeah, I always advocate you start with a customer and say, actually, if I'm a customer, what is it that I you know, what are the services that I would need to be able to continue to be served? And there'll be tough decisions there around the minimal things that would be. Mark mentioned about getting cash or be able to transfer money. These are some of the things that are fundamentally important to, you know, in financial services, and then working that back through an organization, the risk of doing the other way around is that you actually look at what platform systems, etc, do you need to maintain, but then losing sight of that one, important thing, which actually means you can get to a customer. And so I'll advocate looking at it from front to back.  

 

35:08 Raghu Nandakumara

Absolutely right. Because when you start there, once you've got that list, you can then talk about, “Okay, well, what are the threats these things face? What are they at risk of?” Then, move on from there about how you identify where your controls gaps are, to then determine what additional controls you need to put in place to alleviate that and continue testing that and improving that.  

35:32 Tristan Morgan

And as you go through, you'll identify loads of gaps in controls. And it's important to say, “Well, which ones are we going to prioritize? Which the most important ones?" Rather than just building a list of 700 things you've got to do. It's about knowing which ones are making the biggest impact to making sure that the company can stay up and running and serving their customers.  

 

35:51 Raghu Nandakumara

Yeah, and so Mark, I think just following on from that, that's that business-informed approach that ties to the proportionality that then maps to, essentially, what are the threats that you and your processes face that then drives how you test. I think that's a key part of DORA, which I feel differentiates it from other regulations that we've had in the risk management space for financial services in the past. Like, is that how you see it?

 

36:18 Mark Hendry

Yeah, I think so. I completely agree, Tris, with what you're saying. Saying, what are the things that if they get knocked people are going to notice, either because it's inconvenient or painful and if people say you're a business to consumer financial services organization or a business to business, but you know it's going to draw regulatory scrutiny most quickly. What are those things and work backwards from there, what they interconnected to? What do they rely upon? And the clue is in the name: business impact analysis. We've been doing this with donkeys guys, and just because we're got a sharp stick behind us, forcing us, in the form of DORA, to do it now. We've always kind of had that in financial services. Anyway, other industries are facing the sharp stick for the first time. But we're really talking mainly about DORA here. There's another point here, which is that, yeah, we are on the pathway to DORA enforcement, and we don't know what that looks like just yet, but we do know that financial services, supervisory authorities, are typically better equipped, you know, well-trained people, okay resources, you know. They'll probably disagree if you had a regulator or someone that works for a supervisor on the line. Now, they might disagree, but, but compared to others, then, then they're ahead of the pack and more active, because it matters so much. But we're, what, four months out from DORA now? So, what if you're not on track? What are you going to prioritize? What are you going to go more deeply or lighter touch on? And to the point about accountability earlier. If something does go wrong, how are you going to tell the story about why that was an appropriate set of decisions and actions to take based on the information that you had available to you at the time that you took them. That all plays a factor when investigations happen, and enforcement is being calculated and decided upon. And it doesn't mean that enforcement isn't going to happen, but those mitigating circumstances, if you could tell a good story about them and prove that they were fine and wise decisions to make, or at least not negligent, you know you're standing yourself into into good stead. And so if you are behind on your DORA program right now, think about what we've said: what's going to hurt most, what you're going to prioritize, what you're going to get over the line and what you're going to kick into next year, a little bit on a risk-balanced basis?

 

38:50 Tristan Morgan

You're exactly right when you think that financial services companies are often very used to regulation. But you know, you think of the scope of DORA, as you mentioned earlier, including ICT companies and many of those, it's the first time that actually has been subject to this type of regulation. And therefore, not only is there the overhead of trying to become compliant, there's also the cost. And some of these can be relatively small businesses, and so it's quite onerous for them to not only embark upon the journey, but actually the cost of becoming compliant.  

 

39:20 Mark Hendry

You're absolutely right. It's the extension of scope of these things to non-regulated businesses. So non-regulated businesses fall into the scope of Dora because they are a critical or an important ICT supplier to the European financial services economy. And actually, there's something quite interesting in DORA. There's a mechanism in DORA, and I'm quite interested to see how it plays out, whereby what's called the register of assets. Where financial services entities have to fill in these spreadsheets that say these are our critical important information system, ICT, and third-party assets, and those need to be disclosed to the Supervisory Authorities upon request and a certain frequency to a certain extent. And then after that, ICT providers will be designated as critical and important by the supervisory authorities. Now I can foresee a situation where there's a coordination mechanism, a cooperation mechanism, whereby all of those asset registers go into a great big data leak, and all of a sudden, for the first time in history at the European commission level, they've got brilliant layers and layers and layers deep of how all of these interconnections and intersections are operating. That for me, if they can achieve that from DORA, it's hugely powerful as to how we maintain resilience and kind of almost forget for a second what it's going to take to get there. Just getting that insight is the work of decades, and we might be on the cusp of it, which is kind of cool in a geeky way.  

 

40:55 Raghu Nandakumara

Yeah, absolutely. I think just, I have two reactions to that. The first reaction is your reaction about, that's amazing to completely understand the entire set of interdependencies between the bank financial services industry, the technology service providers and how these are all interlinked, and all the depths at which that goes. But then also working for a for a technology vendor. My fear is that, how do I know whether I'm on that list, and whether, if I'm not on that list, am I critical? Am I not critical? And how differentiate between one of our customers saying, “Oh, they're a critical technology provider and another customer, not us, not having us on that list.” How does that then play into my obligations, because that's the bit that I feel is unclear still.  

 

41:48 Mark Hendry

So, my firm just won FinTech Advisor of the Year. So you can imagine, we work with a lot of the businesses that either fall on the fin end of that spectrum, and they're regulated because they're basically a digital bank or something like that. And if they're operating in EU markets or supervised by European regulators, guess what they're in scope. But if they're on the tech end of that because they're a tech, they're basically a technology provider, and their clients are financial services entities. Just need to look at where those financial services customers are operating and what they do for them. And if you think you're important enough to them that if you went down, they'd stop being able to do some stuff, then it's a logic exercise you're in. If you are a broader technology company that has clients in retail, pharmaceutical manufacturing and financial services. Just do the same exercise. Who are your financial services customers? You know who they are because you're billing them, and think about you know what you mean to them, and what happens if you fall over one day and plan for that and again, logic exercise. But to Tris's point, if you're not sure, get counsel.  

 

43:00 Tristan Morgan

I think picking on the last point about seeking Council. So, you know, nobody can do this alone. And there are lots of third parties that can help with, kind of, you talk about proportionality in terms of where and where to go first, and you know what other sectors have done. And help to make that judgment position so that people can become compliant to the right level without the right degree of burden, and particularly companies which don't naturally come from this more regulated sphere. And Mark talked about the technology companies who have branched out into financial services. I think some of these are the ones where I think it's most important to work with other people.  

 

43:42 Raghu Nandakumara

So we're getting close to time, and this is a zero trust podcast, and we haven't mentioned the term zero trust once, so I feel that I'm obliged to do so now. So Tris starting with you first. So DORA talks a lot about what it's aiming to do, and it's aiming to improve the resiliency of the financial services industry in the EU so that it's able to, even in the midst of a cyberattack, able to continue and be productive. And there's a lot of technical requirements around reducing, the scope of access and so on. But it doesn't mention the term zero trust once and very intentionally. What's your perspective on the relevance of zero trust to DORA and also why it was intentionally left out?

 

44:28 Tristan Morgan

If I cover your second point, first on why it's left out. So, zero trust is obviously a wider security term that brings together a grouping of capabilities to fundamentally drive the security position of all businesses up. And so we need to be mindful, actually, that zero trust might change as a terminology in the future, but the principles that underpin it, and I think it's one of the reasons why it wasn't named, actually stay fundamentally important. And I look at them really in four ways. It's about identifying threats, you know, mapping out what those critical or noncritical are and those sorts of third-party dependencies. How you can then, with zero trust, help to protect and prevent attacks and where you need to put the right monitoring, the right control in there, but also recognizing that there are more advanced things that you need to do for the things that you're not sure that are attacks. And this is where more advanced security, like seem technologies, are really paramount to help do that, more advanced threat hunting, particularly talking about nation state type activities. And then you know, the other key part of zero trust is looking at how you respond and recover to those attacks. Bear in mind that most businesses want to be able to continue to sell capacity. So, zero trust is a nice grouping a number of these, but fundamentally, that's why it is important. And of course, for some businesses, it might be that you want to amplify up or down one of the four things I've just spoken about, because they're most relevant to what you do, you know, but overarching, when you look at the principle of zero trust, it's about the concept of least privilege. So, you want to give your workforce, your customers, the least possible privileges to do what they need to do, and then take that way when they don't need to, rather than the days of giving people admin access forever as an employee. You know, that's not what we want to do. What zero trust needs to do is to fundamentally make it harder for people to get in. But if people do get into an organization, to be able to detect, respond and recover from that in a really timely fashion.

 

46:32 Raghu Nandakumara

Yeah, absolutely. And limit how far they can get within the organization. Should they get in, how far can they move around? Yeah, absolutely fantastically put. Right? It's a set of principles that apply not just to DORA, but also much beyond that. And DORA, I guess, benefits from some of those principles dialed up or down as required. Mark, any thoughts?

 

46:56 Mark Hendry

Yeah, it's in there. Zero trust is in there. It's a standard to which we aspire and work today. The terminology might evolve over time, and that's why the term probably isn't in there to Tris's point, but elements of zero trust are in there. If you did a search on DORA and looked for the word segmented, as in microsegmentation, instantaneous severing of elements of the network in order to contain and what have you, it's in there. It's absolutely in there. So, you just need to know what you're looking for, and you'll find it. And zero trust will evolve. It might evolve into a different name or a different set of characteristics that we seek to achieve. But DORA should last. And we might find terms like zero trust start to pop up in regulatory technical standards or implementing technical standards that accompany it. But it's absolutely in there, because it's such a good way to protect our organizations from from harm, the types of harm that we've talked about.  

 

47:53 Raghu Nandakumara

And believe me, as a segmentation vendor, I have very much Google searched those documents for every single term and all their synonyms, and found all of them. So, I think we're close to time. Tris, I'm going to come with, come to you first. So, as we wrap up, how, how would you like, listeners, to really think about not just about DORA, but about security risk compliance today and how it's going to evolve in the future?

 

48:17 Tristan Morgan

So, what do we take away from this is that we know that just as we're as a sector, going to be increasing the use of digital technology, we also know that the adversaries are going to be using that to try and ever increasingly target and try and get gains from it all. And therefore, when you look at security, it becomes that everybody is the pivotal and the most important thing within those organizations to make sure they can be better to spot and defend against that and ultimately better serve their customers. And I mean, this is where regulation and DORA also come in to help provide that guidance, the standardization, and ultimately the collaboration that is needed to do that, not just this year, not next year, but you know, for the next 5-10 years to come.  

49:02 Raghu Nandakumara  

So better collaboration and better standards. So that we improve security collectively.  

 

49:09 Tristan Morgan

Yeah, better collaboration, better standards. I think that's the key to success.  

 

49:16 Raghu Nandakumara

Awesome, Mark?  

 

49:18 Mark Hendry

Yeah, agree with Tris. This is evergreen. It's coming. It's not here yet, but it will be soon, and it's evergreen. So let's get to a good place, and let's keep building from that, and try not to get dragged kicking and screaming into the place that it's trying to take you. Try to think about the benefits. It's about value protection. It's about stability, resilience. Think about resilience. Yeah, that's the message. Think about resilience. Try not to think too much about compliance, but do it in a compliant way that makes sense for your business. Interpret correctly. Have a good story to tell and do what's proportionate and right for you, and you'll be pretty good standing.  

 

49:55 Raghu Nandakumara

Well, I think that's very wise and informative words from from both of you to wrap that up. So Tris, Mark, thank you so much for your time today. It's been great speaking to you both and appreciate all the wisdom. Cheers guys, thanks.