DORA Regulations, European Banks, and Third-Party Risk

BlogHeroImage

DORA, or the Digital Operational Resilience Act, is a new EU regulation with a goal to strengthen the cyber resilience on the financial market. This new package of requirements was released in 2023 and the European Supervisory Authorities (ESA’s) expect financial institutions to be compliant by January 2025. In addition to banks, a wide swath of financial related organizations, including credit monitoring agencies, will be under this regulation. 

At Veritas we have years of experience in supporting data security requirements due to close partnerships with businesses such as banks. Banks possess a low risk tolerance and are highly regulated. Therefore, their data security requirements are rigorous, and Veritas software and hardware have evolved over time to meet these strict security requirements. 

An EU-regulation of this kind is challenging to comprehend: We note that “recover” is mentioned 60 times. Since Veritas is an 18-year-winner of the Gartner Magic Quadrant designation for backup and recovery, we will focus on three key elements of this extensive regulation. 

Overview of DORA’s structure  

DORA is organized into five main sections or “pillars,” and within these sections are 45 “articles,” or sub-categories. DORA uses the acronym ICT for Information and Communication Technology; we will use ICT and IT, or information technology, interchangeably here. 

DORA sections: 

  • ICT Risk Management 
  • ICT-related Incident Management, Classification and Reporting  
  • Digital Operational Resilience Testing 
  • ICT Third-party Risk 
  • Information Sharing 

DORA deeper dives on governance; backups; detection; and third parties  

GOVERNANCE—Article 5. 

“…The management body of the financial entity shall define, approve, oversee and be responsible for the implementation of all arrangements related to the ICT risk management framework…” 

It is vitally important that the management is fully aware and have a good understanding of DORA. The management body of the organization will be held accountable for non-compliance with personal responsibilities as described in DORA Article 50:  

“…Member States shall confer on competent authorities the power to apply the administrative penalties and remedial measures, subject to the conditions provided for in national law, to members of the management body, and to other individuals who under national law are responsible for the breach”  

Since an organization’s highest executive leadership is responsible for compliance with DORA, it is critically important to employ a cross-functional team – legal, engineering, IT, and security – and great communication skills, to comply with DORA Article 50.  

BACKUPS—Article 12. 

“When restoring backup data using own systems, financial entities shall use ICT systems that are physically and logically segregated from the source ICT system. The ICT systems shall be securely protected from any unauthorized access or ICT corruption and allow for the timely restoration of services making use of data and system backups as necessary” 

Two sub-categories regarding backups are imperative to understand. First, EU businesses will need to be able to prove that they are able to:  

  1. Restore backups to another location physically and logically (segmented) from the source; and

  2. Backup data securely protected from unauthorized access and corruption (immutable) 

Working closely with our customers, we have observed lessons learned following ransomware attacks and successful recoveries. In turn, we observe seen increasingly stringent regulatory requirements concerning backup and recovery. In ransomware scenarios, the victim typically begins the incident response process by isolating or turning off the infected production environment to minimize the effects and reduce the risk of data loss. Next, victims must initiate a separate recovery environment to identify the last known good/clean backups, perform forensics and cleaning, and recover pre-determined, critical applications and services. Veritas has a great integrated solution for this called the Isolated Recovery Environment that is described in this blog by Demetrius Malbrough.  

Immutable backups are now necessary, in combination with phishing-resistant multi-factor authentication and zero-trust principles. The DORA mandate on “securely protected” backup data states little but infers much.  

Because the backup system is one of the most important targets for an attacker –the last line of defense – DORA-regulated entities must demonstrate what safeguards are in place. We recommend using solutions that already meet stringent requirements in the financial sector, so documentation is readily available during an audit.

Download the Cohasset Associates assessment of Veritas solutions towards FINRA and SEC requirements to see how we can help you with DORA Article 12. 

DETECTION—Article 10.  

“…Financial entities shall have in place mechanisms to promptly detect anomalous activities” 

Veritas continues to deliver, and strengthen, AI-powered anomaly detection technology. When we back up data, our software employs machine learning on the existing patterns of that data transmission. Veritas tools answer the following questions. How does it usually look like when we backup that specific server? How many files are we usually backing up each day from that NAS-device? We learn the baselines for each source, and we send notification if something is not as it supposed to be. Also, we are looking out for specific administrative events in our software, file-extensions being transferred during backup, changes in client-installation at the source – we are constantly updating ways of trying to find malicious activity in systems.

Integrated in our solution is a malware scan feature that enables the scanning of backups with a signature-based malware scanner. This scan can find malware in backups and make sure the system is not restoring malware. This feature is important when disaster strikes and the intent is to only restore uninfected files, or the last known good backup. The combination with anomaly detection is strong, and with the Veritas solution in place our customers can have a documented process to detect anomalous activity.

Access our Whitepaper on malware detection. 

THIRD PARTIES—Article 28. 

“…Financial entities shall ensure that they are able to exit contractual arrangements without: (a) disruption to their business activities, (b) limiting compliance with regulatory requirements, (c) detriment to the continuity and quality of services provided to clients. Exit plans shall be comprehensive, documented and, in accordance with the criteria set out in Article 4(2), shall be sufficiently tested, and reviewed periodically…” 

DORA’s pillar concerning third-party security is both extensive, complex, and challenging to implement and enforce. Effective risk management now entails a strong program to vet the security of critical systems outsourced or running at a third-party service provider. This could be one of the larger Cloud Service Providers such as Azure, AWS, Google – but can also be your local datacenter service provider. Either way you need to manage risk related to this contracted delivery, and in this specific requirement you need a plan B. 

Additionally, a “third party” is any external company that delivers a product, application, or service that is integrated into the DORA-regulated entity’s IT system. If that third party delivers critical IT, such as a security or business-critical application, it will also need to demonstrate adequate security controls. 

The DORA third-party pillar also indicates that entities will need to prove they have a ready-made process, or system, to migrate from one service provider to another, minimizing disruption. This requirement is not met by manually being able to migrate one server at a time to another place. This is more of an active-standby scenario where the organization can failover to another service provider. Veritas has helped customers for years being able to securely perform these movements of data, at scale. Cloud migration details are covered in: Alta Enterprise Resiliency.

Summary 

Although DORA is extensive and represents a substantial regulatory requirement for a broad range of EU financial entities, Veritas has for decades been helping to secure truth in information. We deliver have secure, dependable, and scalable hardware and software systems with high availability and disaster recovery capabilities. We are in the business of ensuring business critical systems are running and capable of providing business   

Check out the DORA regulation .

blogAuthorImage
Magnus Mårtensson
Technical Sales Engineer, Nordics
blogAuthorImage
Dr. Joye Purser
Field CISO Veritas