DORA and industries
The financial services sector has been identified as a prime target for cyber threats, underscoring the critical need for robust operational resilience measures. According to the International Monetary Fund (IMF), their survey found that the financial sector is at risk due to weak cybersecurity defences.
This sentiment is echoed by the Bank of England, whose latest systemic risk survey revealed that 74% of respondents view cyber-attacks as the highest risk facing the financial sector.
Frameworks like DORA have become vital in helping financial institutions and their associated suppliers, such as ICT providers, understand how to effectively manage these evolving cyber risks. Recent industry research highlights the significant cyber threats faced by the financial sector:
The Verizon 2022 Data Breach Investigations Report (DBIR) recorded the most prevalent threats, including data breaches, DDoS attacks, and ransomware. The report emphasises that stolen credentials are a key factor in the success of many of these attacks.
A 2022 Commodity Futures Trading Commission survey found that 74% of the 130 global financial institutions surveyed had experienced at least one ransomware attack incident in the previous year.
These alarming statistics underscore the urgent need for financial entities to strengthen their cybersecurity posture and operational resilience in line with regulations like DORA.
The Digital Operational Resilience Act strongly emphasises third-party risk management, recognising the significant role that ICT providers play in supporting the financial services sector.
Industry research highlights the growing threat of supply chain attacks targeting the financial sector. According to the Verizon 2022 Data Breach Investigations Report, the financial industry was the second-most popular target for these types of attacks. DORA aims to address this vulnerability by establishing comprehensive requirements for financial entities to manage the ICT risks posed by their third-party service providers.
The European Union Agency for Cybersecurity (ENISA) has reported increased sophistication and volume of supply chain attacks, with threat actors targeting the technology supply chain to steal data and financial assets. DORA’s provisions for third-party risk management will coordinate requirements using existing frameworks like the European Banking Authority (EBA) Outsourcing Guidelines.
Any ICT provider designated “critical” by an ESA will be subject to a strict oversight framework. This heightened scrutiny ensures that these systemically essential technology providers implement robust security measures and comply with DORA’s requirements.
Financial institutions increasingly turn to Zero Trust solutions to effectively manage third-party risks. These technologies provide enhanced visibility across the extended network of suppliers, including ICT providers. By enforcing security measures such as least privilege access and proactive control of sensitive areas and data, Zero Trust helps prevent data breaches and mitigate the impact of ransomware and other cyber threats.