The financial sector is one of the industries most affected by cyberattacks. To help European financial companies achieve greater digital operational stability and reduce systemic IT risks, the EU has adopted the Digital Operational Resilience Act (DORA). The associated increased due diligence and reporting obligations pose challenges for the industry: Audit-proof documentation of outsourcing, secure contracts that comply with specific legal requirements and the ability to provide information at any time. How can these EU requirements be implemented efficiently and reliably? How can digitalization help? This was discussed at the Presse #nextlevel talk:
- Dr. Anna Muri, Senior Specialist IT Risk Supervision, Financial Market Authority (FMA)
- Florian Polt, Head of Group Security, UNIQA Insurance Group AG
- Gerald Kogler, Head of the Insurance Industry Team, EY Austria
- Robin Schmeisser, Managing Director, Fabasoft Contracts GmbH
Increasingly AI-supported cyberattacks
Cyberattacks increased by 201% in Austria last year, according to the KPMG study "Cybersecurity in Austria 2023"¹. Around 60,000 cases were reported to the authorities in 2022, and the number of unreported cases is likely to be significantly higher.² Hackers are developing increasingly professional methods to obtain the desired data - including through the use of artificial intelligence. Thanks to Large Language Models (LLM), language skills are no longer required to write credible emails. This goes so far that AI even provides ready-made HTML codes for malware. 22% of Austrian companies have already been affected by so-called deepfakes in the past twelve months1.
Different regulations depending on the sector
Depending on the type and size of financial companies, the legal situation before DORA differed greatly in some cases. "Banks and insurance companies started digitizing and outsourcing services early on," says Florian Polt. This dependence on IT systems is also the reason why banks and large insurance companies have already been affected by various regulations on ICT security and outsourcing in the past (EBA and EIOPA guidelines). Other financial service providers, such as smaller investment firms, have only had a few points of contact with resilience tests or reporting obligations, for example. "The art of DORA is to create a level playing field for the entire European financial sector through uniform regulation," explains Anna Muri, which means a level and fair playing field for all market participants.
New challenges
"How well the financial sector is prepared for the requirements depends on the cyber maturity of the respective company," says Muri. In addition to familiar topics such as IT risk management, the new content of the regulation poses particular challenges for the sector.
"For smaller companies, it will be an effort to get to grips with the implementation in good time. The trickiest part will be managing third-party providers to the satisfaction of the regulator," suspects Gerald Kogler. Robin Schmeisser also advises not to underestimate the administrative effort behind the management of third-party ICT providers. Especially as resources in companies are often tight and already tied up: "To become DORA-compliant, financial service providers must monitor their existing contracts, talk to their partners, conclude supplementary agreements and keep all details about their ICT service providers, including their supply chains, in the information register in a verifiable manner that can be accessed at any time," explains Robin Schmeisser. With regard to supply chains, DORA presents the financial sector with the task of mapping the entire supply chain of its ICT providers. "Companies need to know the risk," says Muri. "The basis for good ICT risk management is knowing which service providers and sub-service providers I work with and how critical they are."
Threat-led penetration testing according to the TIBER framework is also new for many companies. "The method is fundamentally different from previous tests," says Polt. "These normally took place in a training environment. TIBER, on the other hand, involves testing critical or important functions on the production system, which in the worst-case scenario can actually bring the system to a standstill." Schmeisser sees the advantages of this approach: ""Under stress, different errors occur than in a test environment. The knowledge gained is therefore also significantly higher. Emergency situations like this reveal actual weak points, which allows to draw the necessary conclusions."
Process automation is becoming a necessity
In order to implement the legal requirements at both a technical and administrative level, the various departments within financial companies are required to work together and break through their silo mentality, says Polt: "DORA builds the bridge between IT and business. For us, DORA is not just an IT or security project, but a cross-dimensional undertaking." Schmeisser also emphasizes the relevance of involving all stakeholders: "In companies, there are various stakeholders who have the required information. An important aspect is the coordination of outsourcing and information registers in order to create synergies and avoid redundancies."
For this to work, it requires the automation of processes and document control. As the data that needs to be reported is derived from the contracts, Schmeisser sees the digital management of contracts with ICT third-party service providers as the key to the timely implementation of reporting obligations and preparation for regulatory audits: "With Fabasoft DORA, we offer a standardized solution that digitalizes the entire outsourcing cycle, including the reporting required from a regulatory perspective. With the help of a smart data model, we map digital processes that are based on the process organization of the financial company. The system automatically generates the information register from the database in accordance with the technical implementation standards. In other words: 'Information at your fingertips'," explains Schmeisser.
What happens after the end of the implementation period?
The financial sector does not have much time left until all technical regulatory and implementation standards must be met. "17 January 2025 is a hard deadline for us, and we also expect compliance with the provisions by then," emphasizes Muri. The Financial Market Authority will incorporate DORA into its supervisory review process by the implementation deadline and adapt its methodology accordingly. Companies should therefore be prepared to be able to provide information at any time in the event of an on-site inspection or when an inquiry is received. However, according to Muri, it is unlikely that the authorities will be at the door on the deadline.
Conclusion: Will DORA make the financial world safer?
Even though DORA demands a lot from the affected companies in operational terms, the experts agree that the regulation will make the financial market safer. "DORA not only improves financial companies' own cybersecurity, but also brings the macroeconomic level to the fore", says Schmeisser. "The complete traceability of supply chains makes it possible to identify frequently used service providers whose failure would have consequences for the entire sector and thus prevent systemic risks."
More information about Fabasoft DORA
You can find the recording of the #nextlevel talk here: Livestream in voller Länge: DORA – Herausforderungen und Lösungen... | DiePresse.com (Only available in German)
¹ KPMG & Sicherheitsforum Digitale Wirtschaft des Kompetenzzentrums Sicheres Österreich (KSÖ) 2023: Cybersecurity in Österreich 2023 - KPMG Austria
² Statista 2022: Statistiken zur Internetkriminalität in Österreich | Statista
