What is the Digital Operational Resilience Act?

The Digital Operations Resilience Act (DORA) is the European Union’s attempt to streamline the third-party risk management process across financial institutions.

Various national regulatory attempts have been undertaken to provide some sort of uniformity, but this has only further divided the financial sector’s attitude to cybersecurity. DORA aspires to replace different Information and Communications Technology risk management frameworks in Europe’s financial industry with a single unified strategy to mitigating all ICT-related incidents. The act intends to improve financial industry operational resilience so that business continuity may be ensured even when an organisation’s ICT is disrupted, such as during a cyberattack.

DORA has five key pillars:

1. ICT risk management – financial institutions will be expected to develop and implement an ICT risk management framework that includes a business continuity strategy, recovery procedures, communication strategies, and security measures for all critical assets.
2. ICT incident reporting – DORA will create a more streamlined reporting channel for ICT-related incidents which is a welcome consolidation of the current multiple reporting requirements. Under the new EU reporting regulations all financial firms will be required to file a root cause report within a month of a large ICT incident. Financial institutions will need to create accurate early warning indications of ICT disruptions to assist timely filing of such reports.
3. Digital operational resilience testing – to ensure the reliability of established ICT defences, financial entities will need to undergo regular digital operations resilience testing conducted by independent parties – either internal or external. These regular tests should be included in a digital-resistance testing programme comprising of testing methodologies, procedures and tools, frequency of resilience tests and prioritisation strategy for testing policies
4. Information and intelligence sharing – DORA will allow and encourage entities within trusted financial communities to share cyber-threat information. The goal of this type of information exchange is to improve awareness of new cyber dangers, dependable data security solutions, and operational resilience strategies.
5. ICT third-party risk management – this is probably the most challenging pillar of DORA. Cloud Service Providers (CSPs) will be forced to comply with regulators if they are classified as ‘critical’. It’s important to understand that the burden of DORA compliance does not completely fall on critical third-party providers. Financial service entities will need to implement third-party risk programmes to prevent operational disruptions caused by supply-chain attacks and third-party breaches.

So, how might Redstor assist financial institutions in reducing cyber risk and complying with DORA?

Backups alone will not prevent you against ransomware, but they are the best last line of defence for ensuring you can recover quickly – and the ability to test those systems on a regular basis to ensure they are working is critical. While there is no way to completely avoid being a ransomware victim, you may take efforts to ensure that your backup strategy will allow you to recover successfully.

• Air gap – guarantee that the primary and backup storage systems are physically separated. Bad actors won’t be able to access the backup data copies because of this physical break.
• 3-2-1-1 strategy – the most recent best practice provides three copies of data, two separate media for backup storage, one offsite backup storage location (online) PLUS an offsite backup storage location (offline/air gapped).
• Backup data malware detection and removal – ransomware frequently stays idle on a network for long periods of time before encrypting systems, ensuring that it is present in all backup versions, making malware-free recovery impossible. To effectively protect against ransomware, the capacity to detect and remove ransomware from backup data, as well as having an isolated location in which to restore data, has become critical.
• Instant / rapid recovery flexibility – downtime can be just as detrimental as data loss. To be effective, a backup strategy must allow users to get back to work quickly by allowing temporary access to data if needed and prioritising crucial data recovery if it is required.

Providers of financial services need to know their data is secure and immediately recoverable. Redstor not only provides that assurance, but it simplifies data management, freeing up time for those financial entities to focus on driving value for the firm. DORA is expected to come into force in the first half of 2022 which enables financial entities to get ahead of legality implementation and prepare by finding a reliable and secure data protection solution, ahead of this regulatory initiative.

To learn more about how Redstor’s data management and protection technology will help your company mitigate the impact of cyber threats and increase financial stability, schedule a no-cost consultation with one of our experts now: Request A Demo | Redstor.