Study: financial services organizations show progress in implementing the new EU regulation on digital operational resilience

The organizations operating in the financial services industry are beginning to register significant progress in terms of implementing changes meant to assure compliance with the new EU regulation Digital Operational Resilience Act (DORA), as a third of them (29%) started to prepare since 2022 and, out of these, 29% have already completed 75% of their implementation roadmap by Feb 2023, according to the latest edition of Deloitte survey on DORA. Entered into force in 2023, DORA is EU’s most important regulatory initiative on operational resilience and cybersecurity in the financial services sector and requires organizations to implement specific changes within 24 months since its adoption.

All four pillars of the DORA – information and communications technology (ICT) risk management, incident reporting, digital operational and resilience testing and ICT third party risk – are equally challenging for the financial entities, the study points out, but a third of the respondents (33%) mention that the fourth is the hardest to comply with. The report highlights that companies are behind in performing third-party risk assessments, as seven out of ten surveyed organizations (69%) perform them once per year, which is not enough to match the DORA requirements, while only 13% perform them on a continuous basis, as required by the DORA. Complying with these requirements also implies performing a regular review of the strategy on ICT third party risk considering the multi-vendor strategy. Such approach will be a challenge for the players in the financial services industry, as 29% of respondents are still defining a holistic ICT multi-vendor strategy and 21% of them will need to update it by 2025 as they defined it earlier than 2022.

Identifying the interconnection between ICT and critical third party technology providers is also one of the challenges that organizations can encounter while implementing the DORA. Four in ten surveyed financial institutions (43%) mentioned that they have not started this process which supports the critical and important functions of the company. The study highlights that the operations considered critical and important functions are authorization (14%) and authentication of payment transactions (12%), followed by IT operations and customer related transactions in digital channels (12% each).

“In order to comply with the DORA requirements, organizations will not only require classifying the critical or important functions, whose interruption would impair their financial performance and the continuity of their services, but also constantly updating the list of these functions and map them to the entire supply chain of the ICT service providers, critical or not, as defined by the criteria within the upcoming Regulatory Technical Standards. Additionally, financial entities will need to develop resilience scenario testing methods and multi-vendor strategy for all the systems that support critical and important functions,” stated Sergiu Zaharia, Director Cyber Strategy Advisory, Deloitte Romania.

The DORA will also challenge financial institutions in terms of performing annual testing of incident response plan. Four out of ten respondents (36%) have performed drill testing in the past 12 months on their incident response plan considering the critical and important functions, while 64% have not performed the tests in the past 12 months.

Considering the DORA requirements, financial organizations will also have to perform threat-led penetration testing (TLPT), covering all critical ICT systems and applications and important functions, on live production systems. Half of the surveyed financial entities have conducted such tests and the other half has only tested in a non-live environment. Financial entities prefer to perform TLPT by using a mix of internal teams and consultants, as 57% of respondents have Blue Team role internally, responsible to ensure the effectiveness of the security measures within an organization, while Red, aiming attempt a physical or digital intrusion against an organization, and Purple Team activities, a combination between blue and red teams, are covered by external consultants.

The latest edition of Deloitte survey on Digital Operational Resilience Act focuses on the opinions of CISOs, CIOs, Operational Risk Managers, IT Risk Managers and CROs of financial entities across 20 countries from Europe. The report aims to understand the readiness of financial institutions in complying with the DORA, and the associated challenges that these institutions are facing.