DORA as a Guideline for Heightened Cybersecurity

“Dora the Explorer” is an animated television series centered around a young Latina girl, Dora, who goes on adventures to solve a specific problem or goal that is established at the start of each episode. The Nickelodeon series, which launched in 2000, was so popular with children that it spawned multiple spin-offs and one of the highest-grossing retail franchises ever, which, at the height of the show’s popularity was worth $13B. The lasting impact of Dora the Explorer is the lessons the program taught millions of children. Now, the banking industry has the chance to learn from another type of DORA — the European Union’s (EU) Digital Operational Resilience Act, which aims to enhance the digital resilience of the financial sector.Why DORA? DORA is an EU legislative framework that seeks to diminish the risks of the financial sector’s increasing reliance on technology and third-party technology providers. DORA will do this through a set of standardized processes regarding reporting, management, and the way that organizations react to information and communications technology (ICT) risks. The goal of the legislation is to heighten preparedness within the financial system and reduce the possibility of wide-reaching digital events, such as the July 2024 CrowdStrike security update that led to a massive IT outage, grinding business to a halt at millions of organizations around the world. The new rules were put into effect in January 2023, but they will not be enforced until January 2025. DORA’s Rules and RequirementsThe following are DORA’s requirements: 

To ensure that EU financial institutions take the new rules seriously, financial institutions that fail to comply can be hit with fines as high as 2% of their annual global revenues. EU authorities can also levy fines against individual managers when breaches occur, for up to $1.1MM. Given the rising importance of third-party providers in the equation, regulators are also prepared to levy fines of up to 1% of average daily global revenues for the previous business year against IT providers. Firms can face additional daily fines until they take the steps necessary to become compliant for up to six months. While DORA’s rules and regulations are targeted to EU organizations, they will still apply to organizations that provide services to customers residing within the EU. Similarly, US-based ICT service providers who serve as third-party providers for EU financial organizations also fall within the confines of the regulatory framework. For the most part, however, DORA’s greatest significance for US financial institutions may be the guidance it provides on some of the most effective ways to enhance digital operational resilience.What Your Institution Can Learn from DORAA major component of DORA is the requirement for organizations to share information with one another regarding security risks, from incidents and the way an organization responds to them, to close calls. This requirement extends to incident management related to third-party providers. By enhancing visibility within the financial services industry of the threats experienced by their peers, the hope is that organizations will be able to more effectively improve their own security measures. The regulation also forces financial institutions to do deeper due diligence on the security measures in place at third-party technology providers. The broad steps that DORA encourages organizations to take are also ways in which community financial institutions can improve their own cyber security and digital resilience to fraud. Some of the key strategies of DORA that community financial institutions can implement or enhance include:

As community financial institutions strive to enhance their own cybersecurity, they would be well served to dig into some of the suggestions outlined by DORA and keep a close watch on how European financial institutions respond to the impending enforcement of the new regulations.