The European Digital Operational Resilience Act (DORA), which came into force on Friday, January 17, is already having unforeseen costs for organizations right across the financial sector. Although the act is the brainchild of the European Union (EU), the financial services industry has been global for some years, and firms in the US and the UK are also impacted. As of Friday, the new regulations now also apply to US companies providing financial services within the EU or catering to EU customers.
California-based cybersecurity company Rubrik has commissioned research that almost half of UK financial businesses report spending over €1 million each over the last two years in trying to comply with the new EU regulation. DORA mandates key provisions such as contractual safeguards and contingency plans to mitigate risks from partners and third parties. DORA compliance also requires regular testing of digital resilience and attack simulations.
“DORA will introduce an enforced universal framework, including a focus on Information and Communication Technology (ICT) risk management. This framework could transform the financial services and banking sector, given it typically holds some of the most sensitive data across all markets,” says Rubrik.
IT budgets fail to meet regulatory needs
The report’s findings also show that UK CISOs have difficulties in impressing company board members on the need for cyber resilience and regulatory compliance with new cyber rulings. Over three-quarters (77%) of UK CISOs feel that their IT budget is not completely reflected by their board’s objectives to meet regulatory requirements.
“There is a critical gap between board-level understanding and reality. While regulators are increasingly stringent, many CISOs feel their budgets don’t adequately reflect the board’s commitment to compliance. This disconnect jeopardizes not only organizations’ security posture but also their ability to meet evolving regulatory demands,” warns James Hughes, VP of Solutions Engineering and Enterprise CTO at Rubrik.
“Given the increasing threat of ransomware and third-party compromise, the implementation of regulations is required and expensive. Understanding what data is the most critical, where that data lives, and who has access to it, is essential to identifying, assessing, and mitigating ICT risks. If good hygiene practices like these are not followed, organizations can now receive fines from the Financial Conduct Authority (FCA),” adds Hughes.
