By providing access to credit and financial services, financial institutions promote economic growth and play a crucial role in the economy. Their failure or impairment have the power to cause a sustained shortage of supplies, significant disruptions to public order, and safety or security concerns.1 Digitalization is essential for financial institutions to remain competitive, meet evolving customer demands, and achieve sustainable growth in an increasingly digital environment.2
In addition to boosting productivity and facilitating greater competition in markets, digitalization has its downsides: as reliance on digital infrastructures increases, cyberattacks are likely to be more common. Cloud technologies, for instance, centralize data storage and information while also increasing network traffic and interdependence. As a result, more methods of launching targeted cyberattacks become available to malicious users.3
Attacks on critical infrastructure providers such as financial institutions can affect daily life and cascade into other industries and organizations that rely on financial products and services. Compared to other sectors, the financial industry is three times more susceptible to cyberattacks, according to the Committee on Economic and Monetary Affairs.4
Worldwide, from 2013 to 2022, the number of cyberincidents in the financial industry tripled, while those cyberincidents involving data disclosure doubled.5 One of the most significant cyberattacks on this sector occurred in 2014 when a United States-based major multinational financial services and banking institution was compromised by hackers, exposing the names, addresses, phone numbers and emails of 83 million account holders.6
Because financial institutions store a wealth of sensitive customer information, including personal and financial information, attackers often view them as high value targets.7
As financial institutions increasingly rely on technology and experience cyberattacks, resilience has become a desirable quality, raising the question of how much regulatory attention is paid to it. The EU Digital Operational Resilience Act (DORA) was published in December 2022. Due to its extraterritorial reach, DORA is also crucial to enterprises outside the European Union, particularly in information systems-related services. DORA imposes a harmonized ruleset not only on financial institutions, but also on service providers from outside the European Union that serve EU-based financial institutions.
There are several reasons why digital operational resilience is important, including:
- Economic impact—DORA highlights the catastrophic risk a service outage could have on not only the customers of an individual bank, but an entire economy.8
- Customer confidence and reputation—Cyber and information security incidents can damage the reputation of financial institutions, which can lead to long-term consequences. By minimizing data loss, responding rapidly and effectively to incidents, and implementing preventative measures, resilience helps preserve reputation.9
- Business continuity—Service interruptions, system failures, and significant disruptions can be caused by cyberattacks on financial institutions, which play a vital economic role. To maintain the stability of the financial sector, resilience aims to minimize the impact of these incidents, support business continuity, and reduce financial losses.10
Understanding that cyberresilience is a well-established concept and the underlying basis from which digital operational resilience was derived, it is worth exploring how the concept of digital operational resilience relates to general resilience.
Resilience: A General View
The concept of general resilience was the foundation for cyberresilience and, subsequently, digital operational resilience.
Despite the multidisciplinary nature of resilience and its various definitions, there are common themes and characteristics that are universally recognized across disciplines. Based on a systemic literature review, resilience consists of five core functions: sense, build, reconfigure, reenhance, and sustain (figure 1).11
Source: Derived from Birkie, S.; Trucco, P.; Kaulio, M.; “Disentangling Core Functions of Operational Resilience: A Critical Review of Extant Literature,” International Journal of Supply Chain and Operations Resilience, vol. 1, 2014, p. 7–8
DORA
Digital operational resilience is defined as the ability of a financial institution to build, assure, and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by information and communication technology (ICT) third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial institution uses, and which support the continued provision of financial services and their quality, including throughout disruptions.12 This definition is related to the concept of general resilience as well.
Due to its wide scope, digital operational resilience goes beyond cyberresilience. It encompasses not only cyberthreats, but also other disruptions, such as third party service outages. Consequently, digital operational resilience aims to ensure the continued provision of financial services and their quality, including throughout disruptions. Overall, DORA also aims to mitigate market concentration risks caused by financial sector reliance on ICT third-party service providers.13
Another key goal of DORA is to harmonize rules for a variety of European financial institutions. Because these institutions heavily rely on third party services relating to ICT, the regulation also covers certain service providers.
DORA entered into force on 16 January 2023 and will be applicable beginning 17 January 2025. Institutions subject to the regulation are currently awaiting regulatory technical standards (RTS) and implementing technical standards (ITS). There are certain rules outlined in DORA that will be specified in these standards by the European Supervisory Authorities (ESAs) (the European Banking Authority [EBA], European Insurance and Occupational Pensions Authority [EIOPA], European Securities and Markets Authority [ESMA]).
DORA is likely to have a significant impact on the day-to-day activities of entities falling within its scope because they will need to comply with the regulation’s requirements. Compliance is supported by processual, technological, and human aspects, which can result in increased costs if adjustments are necessary to achieve compliance. Depending on the specific sector in which the financial institution operates, these regulations may or may not be new. However, DORA concretizes some known rules, including the guidelines by the EBA on outsourcing arrangements and on ICT and security risk management.14
There are five main domains covered by DORA that pertain to the use of ICT by financial institutions:
- ICT risk management
- ICT-related incident management
- Digital operational resilience testing
- Management of ICT third-party risk
- Information sharing arrangements
Failing to comply with DORA may involve criminal and administrative penalties and/or remedial measures.15 Such measures include the temporary or permanent cessation of any practice or conduct that the competent authority considers to be contrary to the provisions of DORA and prevent repetition of that practice or conduct.16
Financial Authorities Shifting Toward Resilience
According to the ESAs, information security requirements in all sectors should be harmonized and supplemented, and harmonization of governance requirements across the financial sector would increase the overall level of security, provide better supervision in information security, and enhance cybersecurity. To create a common baseline across all financial sectors, the ESAs called on the European Commission to include information security aspects in the relevant European Directives.17
In 2019, the ESAs also published a joint opinion emphasizing the need for a common legal framework to oversee critical service providers.18 Service providers in financial services could generate concerns about their operational resilience and cybervulnerabilities to which financial entities may be exposed. A common legal framework would help ensure effective delivery of financial services across the European Union, supporting consumer and market trust. Because ICT third-party service providers operate outside and within the European Union, international coordination is considered desirable by the ESAs.
For this purpose, the European Union aimed to harmonize rules in a proportionate manner to make the financial sector more secure and resilient while easing compliance and administrative burdens. Four main areas of interest were identified:19
- Requirements on ICT and security risk management applicable to the financial sector
- Incident reporting requirements
- Digital operational resilience testing framework
- Oversight of ICT third party providers to the financial institutions
DORA addresses each of these topics.
DORA’s Influence
Before DORA, authorities used the term cyberresilience to describe an institution’s ability to resist attacks impacting its cybersecurity. Digitalization and financial technology (FinTech) competition have contributed to the shift toward digital operational resilience, which provides a more holistic view on resilience.20
DORA has the potential to enhance the financial sector’s resilience in several ways:
- ICT risk management—Financial institutions will be required to assess their operational risk and take dedicated measures to address vulnerabilities. This risk-based approach can help institutions proactively identify and mitigate potential weaknesses.
- ICT-related incident management—Certain incidents must be reported to competent authorities under DORA. This requirement allows authorities to improve incident response and coordination, thereby reducing the impact of cyberattacks on financial markets.
- Digital operational resilience testing—Financial institutions are obliged to test and simulate their readiness to respond to cyberincidents. These exercises can identify areas of vulnerability and help institutions strengthen their overall resilience.
- Management of ICT third-party risk—Financial institutions will have to ensure that their service providers meet certain industry standards, reducing the risk associated with third-party dependence. These standards will be enforced and assessed by authorities with increased authority.
- Information sharing arrangements—A more coordinated and effective response to cyberthreats and incidents can be achieved by encouraging information sharing and collaboration between financial institutions and regulatory authorities.
Digital operational resilience is an important aspect of DORA that will aid in ensuring the European financial sector’s overall resilience. However, resilience is difficult to measure. One main problem with resilience is that it can only be measured after an adverse event has occurred.
One main problem with resilience is that it can only be measured after an adverse event has occurred.There have been efforts to measure resilience in the cyberdomain, but they are mostly focused on access to systems and maintaining confidentiality, integrity, and availability. Little attention has been paid to what happens after systems are harmed.21 It is therefore hard to predict what exact impact DORA will have on the financial sector’s resilience. Consequently, such resilience effects cannot be predicted with accuracy because they will only be measurable in the future.
Conclusion
For European financial institutions, financial institutions outside of the European Union serving European customers, and ICT third-party service providers serving European financial institutions, it seems reasonable to analyze their compliance fit with DORA.
DORA is relevant to customers, including enterprise clients, because it seeks to foster the resilience capabilities of financial institutions, such as credit institutions, insurance companies, and their ICT service providers. This ensures that in the event of severe operational disruptions, the European financial sector can maintain operational resilience.
DORA goes beyond the quantitative assessment of ICT-related risk. The new regulation lays out a whole range of qualitative rules to handle resilience from a broad ICT-related perspective, which is centered around the (general) concept of resilience.
DORA is the result of the desired harmonization of regulatory requirements for digital operational resilience of financial institutions in Europe and the desired harmonization of regulatory requirements for provisioning ICT services from service providers. FinTech enterprises have increased competition among financial institutions, and ICT third-party service providers including cloud service providers have increased market concentration risk.
Although cyberattacks on financial institutions will not disappear altogether, it will be interesting to see if DORA fosters the sector’s resilience in hindsight, which could help safeguard consumer protection and promote stability in financial markets.
Author’s Note
The views and opinions expressed in this article are solely those of the author and do not necessarily reflect the official policy or position of its employer.
Endnotes
1 European Commission, “Critical Infrastructure: Commission Accelerates Work to Build up European Resilience,” 18 October 2022, https://digital-strategy.ec.europa.eu/en/news/critical-infrastructure-commission-accelerates-work-build-european-resilience
2 Balkan, B.; “Impacts of Digitalization on Banks and Banking,” The Impact of Artificial Intelligence on Governance, Economics and Finance, Volume 1, Springer, 2021
3 Fell, J.; de Vette, N.; et al.; “Towards a Framework for Assessing Systemic Cyber Risk,” November 2022, https://www.ecb.europa.eu/press/financial-stability-publications/fsr/special/html/ecb.fsrart202211_03~9a8452e67a.en.html
4 Committee on Economic and Monetary Affairs, “Report on FinTech: The Influence of Technology on the Future of the Financial Sector,” 28 March 2017, https://www.europarl.europa.eu/doceo/document/A-8-2017-0176_EN.html
5 Statista, “Number of Cyber Incidents in the Financial Industry Worldwide from 2013 to 2022,” June 2023, https://www.statista.com/statistics/1310985/number-of-cyber-incidents-in-financial-industry-worldwide/
6 Reuters, “JPMorgan Data Breach Entry Point Identified: NYT,” 22 December 2014, https://www.reuters.com/article/us-jp-morgan-cybersecurity-idUSKBN0K105R20141223/
7 Gulyas, O.; Kiss, G.; “Cybersecurity Threats in the Banking Sector,” 8th International Conference on Control, Decision and Information Technologies, 2022
8 Rackham, S.; “DORA Raises the Stakes for Cloud Use in Financial Services,” 24 November 2023, https://www.computerweekly.com/opinion/DORA-raises-the-stakes-for-cloud-use-in-financial-services
9 Pequignot, O.; “The Financial Industry and Digital Operational Resilience,” 23 August 2023, https://yogosha.com/blog/financial-industry-and-digital-operational-resilience/
10 The European Parliament and the Council of the European Union, Regulation (EU) 2022/2554, European Union, 14 December 2022, https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32022R2554
11 Birkie, S.; Trucco. P.; et al.; “Disentangling Core Functions of Operational Resilience: A Critical Review of Extant Literature,” International Journal of Supply Chain and Operations Resilience, vol. 1, 2014
12 Op cit the European Parliament and the Council of the European Union
13 Trautmann, K.; “Cloud Computing Evolution and Regulation in the Financial Services Industry,” ISACA Journal®, vol. 2, 2023, https://www.isaca.org/archives
14 European Banking Authority, EBA Guidelines on Outsourcing Arrangements, European Union, 25 February 2019, https://www.eba.europa.eu/activities/single-rulebook/regulatory-activities/internal-governance/guidelines-outsourcing European Banking Authority, EBA Guidelines on ICT and Security Risk Management, European Union, 29 November 2019, https://www.eba.europa.eu/guidelines-ict-and-security-risk-management
15 Op cit the European Parliament and the Council of the European Union
16 Op cit Trautmann
17 Op cit European Banking Authority November 2019
18 European Securities and Markets Authority, Joint Advice of the European Supervisory Authorities, 10 April 2019, https://www.esma.europa.eu/sites/default/files/library/jc_2019_26_joint_esas_advice_on_ict_legislative_improvements.pdf
19 European Commission, “Financial Services – Improving Resilience Against Cyberattacks,” https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/12090-Financial-services-improving-resilience-against-cyberattacks-new-rules-_en
20 Panetta, F.; “Stay Safe at the Intersection: The Confluence of Big Techs and Global Stablecoins,” European Central Bank, 8 October 2021, https://www.ecb.europa.eu/press/key/date/2021/html/ecb.sp211008~3c37b106cf.en.html; European Systemic Risk Board, The Importance of Technology in Banking During a Crisis, March 2021, https://www.esrb.europa.eu/pub/pdf/wp/esrb.wp117~6c6d0b49c2.en.pdf; German Federal Financial Supervisory Authority, BaFin Perspectives, Issue 1, 2020, https://www.bafin.de/EN/PublikationenDaten/BaFinPerspektiven/AlleAusgaben/BaFinPerspektiven_alle_node_en.html
21Jacobs, N.; Hossain-McKenzie, S.; et al.; “Measurement and Analysis of Cyber Resilience for Control Systems: An Illustrative Example,” Resilience Week (RWS), 2018
Kilian Trautman, CISA, CCAK, CCSK
Is a senior information systems audit expert in the financial industry. His articles address issues at the intersection of IT, compliance, and audit, and have been published in various internationally renowned journals. He is engaged in the digital trust working group affiliated with the ISACA® Germany chapter.