European financial services firms, and their third-party providers, must soon meet the EU's new cybersecurity and information and intelligence sharing statutes. Some firms may already be operating under similar rules; others may have to start from scratch.
Financial services (FS) firms in the European Union have long supported the push for standardized cybersecurity laws.1 Now, however, an age-old saying may be ringing in their ears: Be careful what you wish for.
The good news is that the Digital Operational Resilience Act, or DORA, as it is more commonly known, does just what the FS firms want. It harmonizes a hodgepodge of hard-to-reconcile regulations and reporting standards from across the EU's 27 countries. By requiring firms to integrate cybersecurity applications throughout their full enterprises, the measure is expected to reduce overall compliance costs and cut through red tape.2
The not-so-good news: The clock is ticking. With less than 24 months before DORA is fully implemented, some FS firms may find themselves scrambling to meet its deadline.3
Editor's Note:This is the third of three articles in which the FTI Journal looks at the five key pillars of DORA, the European Council's legislative act that will strengthen regulations regarding information and communication technologies ("ICT") and cyber resilience in financial services firms. The first article provided an overview of the act itself and one of the pillars: digital operational resilience testing. The second article covered risk management obligations under the act.
Gathering and Sharing Information
Preparing for compliance with DORA can be challenging. Requirements stretch across every part of an organization, and the penalties for failing to comply can be severe.4 Avoiding those penalties demands accountability across the board in business continuity, incident management, crisis communications and lessons-learned exercises.
In two previous articles on DORA, the FTI Journal looked at three of the act's five pillars. Two involve risk management within information and communications technology; one sets forth operational testing requirements. For this final article in the series, we present the two information-sharing pillars (Incident Reporting and Information and Intelligence Sharing). They are designed with two distinct goals in mind: to offer the ability to share information related to cyber attacks in order to improve detection especially, and to improve the ability of industry stakeholders to efficiently report on material incidents.
The two pillars will also provide regulators based in Brussels with enhanced, real-time visibility into cybersecurity incidents across the entire EU.5
As they get ready for DORA, it is important for FS firms to understand that the requirements are anything but a one-time tick-the-box exercise, especially considering the detailed communications-related provisions in the law. Under DORA, FS firms must maintain a crisis communications plan that ensures "updated information is transmitted to all relevant internal staff and external stakeholders."6 In practical terms, this mandate requires continual testing and training to make sure organizations have the right people and processes in place and that workarounds are available in the event that normal channels of communication are compromised.
Clearly, there is much to consider. Here, we ask and answer questions related to the two pillars that may be on the minds of compliance officers, boards and senior managers.
Q: How does DORA's incident reporting requirement change the way FS firms currently operate?
It is all relative, but new cybersecurity requirements often mean enhanced reporting and technical requirements, which can be onerous. Under DORA, some incidents will require disclosing specific, exhaustive details about a breach almost immediately.7 In practical terms, that means FS firms must be ready to manage an ongoing cyber attack and disclose specific details to regulators.
Complicating matters is something unique to the very nature of cyber attacks themselves: Cyber incidents sometimes are not identified for weeks or months after they occur. Taken together, these new reporting requirements are putting tremendous pressure on FS firms to have the right infrastructure in place — including both early warning systems and their operational approach, as well as crisis management and crisis communications plans — to be prepared from an operational perspective.
Q: What about information and intelligence sharing — does that change things for firms?
It depends. Like the reporting requirements, DORA's information and intelligence sharing pillars will be new to some firms, while others may already be compliant in some areas. For example, some organizations have worked with information sharing and analysis centers across Europe for years to report cyber incidents. Even so, previous efforts are not at this scale, and organizations have not had to contend with such harsh penalties for noncompliance.
The Key Pillars of DORA*
- Digital Operational Resilience Testing
- ICT Risk Management
- Incident Reporting
- Information and Intelligence Sharing
- ICT Third-Party Risk Management
One other thing to keep in mind is that the information and intelligence sharing requirements are more technical in nature than DORA's other pillars. That means firms must be careful not to inadvertently disclose sensitive information when complying with the new rules.
Q: Protecting sensitive information — that is a big one. How should FS firms guard against disclosing trade secrets when sharing information about cybersecurity threats and incidents?
These are serious concerns to consider before implementation. Sharing sensitive information should only be done with trusted individuals and organizations, and through a secure platform.
Q: Disclosing an incident sometimes makes companies skittish because of reputational issues. What should FS firms keep in mind if the worst happens?
First, a cybersecurity crisis is always driven by an external factor. So, the jury of public opinion looks closely at how management responds to the crisis. With DORA, companies should ensure that their operational resilience frameworks are in place, which includes their crisis management and crisis communications plans. But how management handles, say, a data breach, is paramount to reputation management. That usually means disclosing the breach to the appropriate stakeholders in a timely fashion — and with clear, transparent and open communication. Firms should also have an internal testing and training regimen that considers all the possible impacts to their business and provides an opportunity to walk through those plans, including identifying roles and responsibilities for every team member.
Footnotes
1: "EU Cybersecurity Initiatives and the Finance Sector." European Union Agency for Cybersecurity. March 2021. https://www.enisa.europa.eu/publications/EU_Cybersecurity_Initiatives_in_the_Finance_Sector/at_download/fullReport
2: "Regulation of the European Parliament and of the Council on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014 and (EU) No 909/2014." European Commission. Sept. 24, 2020. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52020PC0595
3: Ibid.
4: "REPORT on the proposal for a regulation of the European Parliament and of the Council on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014 and (EU) No 909/2014." European Commission. July 12, 2021. https://www.europarl.europa.eu/doceo/document/A-9-2021-0341_EN.html
5: FTI Consulting analysis.
6: "REPORT on the proposal for a regulation of the European Parliament."
7: FTI Consulting analysis.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
