Firewalls and Black Swans: Talking DORA with a cyber security expert

Shreeji Doshi

We're looking at how DORA has laid down the requirements around incident response and how it may eventually help the financial industry within EU markets – particularly by reducing the likelihood of a Black Swan event. We could really leverage your experience of doing incident response to contextualise that.

On my reading of DORA, what I've gathered is that DORA has laid down quite prescriptive requirements around incident response, which in my experience I have not come across in other standards. It's going into a significant level of detail on certain areas.

One of them is the incident response management process. It's being prescriptive to indicate that the process should indicate some sort of, you know, early warning indicators. So the incident response management process requires organisations to put in place some sort of early warning indicators, have communication boards set out, establish more detailed incident response procedures, not process but procedures, and communicate to management bodies.

In your experience of doing incident response (IR) and reviewing incident response plans and processes of various organisations, do you think organisations have already captured this? Or might they have to relook at their documentation and how they've set up this process to align to the requirements in DORA?

Alistair Purdy

Yeah, thanks Shreeji. Really good to be here. Good to be talking about DORA and incident response.

I think from my experience of responding to the hundreds of incidents that I have, that there's going to be a wide profile of how companies are prepared to deal with this. A lot of companies may have those plans and procedures in place, have those documents that they’ve put out in the event of an incident and followed through those step-by-step instructions, or those more holistic views.

But in terms of some of the more technical aspects that we need to consider in relation to specifically talking about that requirement from DORA, I don't think many companies will be there yet. Detecting early warning indicators is a very ‘generic’ form of security and that could take a wide group of technology processes including paper processes. So for that you could be looking at, you know, full implementation of a security operations centre with advanced EDR or next-gen AV coverage across your estate, but you're then looking beyond just the endpoint.

You're looking at your perimeter firewalls, your internal firewalls, you know, all of your SaaS solutions that have access to data. And to understand the data all of those give you in terms of incident response, and also to be able to look at them to find those early warning indicators, that's going to be a complex challenge for a lot of organisations, I would say.

Shreeji Doshi

Indeed, and in my view, because not many organisations have this capability in-built, they would always have to look for a partner to help them out in this space. Most big organisations may look to develop this capability in-house, but a lot of organisations would have to look for a partner. Do you agree with that?

Alistair Purdy

I would absolutely agree. You know, larger organisations may have it, or may look to develop it, but there is a significant capital investment and there's significant personnel investment in building up that skill and experience – not just to have the tools in front of them, but to have the people there that know what they’re looking at and understand what they’re looking at, to see if that indicator they’re seeing is an early-warning indicator of an incident or if it's just an IT problem, which is one of the challenges that happens with, you know, trying to detect these events before they happen.

So I think partners and companies looking for partners will be the best placed to get companies ready for DORA and make sure they're compliant, especially with this particular aspect.

Shreeji Doshi

Just one last point, if an organisation looks to outsource these incident management process activities, they still would have to have some internal competency to follow it through, right?

Alistair Purdy

Definitely. So even outsourcing to a partner, you're bringing a company in to do, let’s say managed detection and response, and to look across your entire estate. You’ll still need some internal competencies to understand what your partner’s telling you, so you can work with that partner in making sure that the things that they raise are reviewed and looked at.

On a broader level, also, understand the benefit that that partner is bringing in and what they can look at. Because you need that person with that business context, that internal understanding of what the business does and where its risks are, to understand where to focus that technology and people process from their outside partner to best secure them, and also best comply with DORA.

Shreeji Doshi

And building upon on that, you know, on the business context piece, one of the requirements that I see as very significant and clearly laid out within this regulation is how to classify incidents. What are the parameters as you’re looking at it? And within those parameters, what are the various components that you will need to consider? And if you have to categorise or classify an incident as a major incident, what are the materiality thresholds? DORA is going to a very prescriptive level to indicate what should be a materiality threshold.

This is something very, very prescriptive I’ve not seen before. In my view, again, this is something that organisations should look really hard at during the incident response planning process, to see whether it aligns with what DORA has laid out.

Alistair Purdy

Having looked at the standard myself, it is very prescriptive. It applies some very strict guidelines around what a major incident is, which isn't something, as you said, we've seen from any kind of standard or directive before. So for organisations that's going to be a new challenge to implement that and integrate that into their incident response process, to make sure that, when they're looking at the incident, they’re classifying it for their own purposes.

They should also consider if it hits the requirements of DORA in terms of a major incident. So organisations are going to have to update their plans and processes, but they're also going to have to test them. They’re going to have to take the time to run through these scenarios of what we call table-top exercises, to actually understand if the people at the front line, dealing with it, can make those assessments and everyone agrees with what their assessment is.

Because when you’ve got something so rigid and prescriptive, in my experience, you often actually get more disagreement between the parties about what the classification actually is, versus whether if you’re just deciding if something is an incident or not in a more general sense.

Shreeji Doshi

That's a really great point you raise about testing it, because that definitely would help organisations to find their processes to determine the materiality. It’s a great suggestion and recommendation there.

 Shreeji Doshi

On the specific aspects, what is the overall benefit that the regulator is getting out of doing this harmonisation of incident categorisation or classification into a major incident? What are the benefits you see happening?

Alistair Purdy

I think from the regulator’s point of view, and generally from across the cyber security industry, incidents are a bit of a grey area.

We don't really know that they happen to companies unless they're required to tell people about them. And we don't really know the scale of what's happening across the world. You know, we know what's reported. We know what we pick up from our cyber threat intelligence assets, but we don't know what's going on that we don't know about.

So putting companies on the forefront of having to notify entities and regulated bodies, builds that intelligence picture for those bodies so they can better understand what needs to be done to secure our digital economy, but also understand what other steps they can take to provide better support to all industries and sectors.

In the financial sector, they'll see some significant risks around cyber attacks. Giving the regulator context around what is going on helps to push that industry towards securing different parts of infrastructure or different parts of the supply chain within financial services.

Shreeji Doshi

On the notification piece, you would have dealt with incidents that required regulatory disclosures mostly, if I'm not mistaken, around GDPR-related areas.

What's your experience like? Because what DORA is requesting is an initial report, and then an intermediate report if there are some material changes to the classification of the incident or the incident itself. And then a final report, to lay down what were the losses, what was the impact, what are the corrective measures being implemented?

It is going to that level of detail, requiring three types of reports that, at a minimum, the organisations would need to provide if there is a major incident, and the intermediate report can be submitted multiple times through the incident lifecycle. The timelines have not yet been formalised, we have a little wait for that.

What are your thoughts?

Alistair Purdy

I think this will be likely. What we saw with the initial implementation of GDPR, there will be a few essentially – for lack of better phrase – test cases, right at the start, where organisations do their best effort in that initial notification, then in the interim one, and then in a final one, and provide the information that they think is relevant and hits what they need to do. And then we'll have feedback from the bodies that are receiving them around the detail that is needed or isn't needed.

You know, there is a very firm understanding now, in relation to the likes of GDPR and the timelines involved for all the detail that is needed. Specifically talking about the UK, for example, the ICO and other entities that deal with that. Like the law firms that help companies make those notifications – they all have a very firm understanding about what detail is needed at each stage in order to satisfy the ICO and make sure they comply with their obligations.

I think we will see a process of that being felt out by law firms, or bodies, or companies as they go through with notifications within the first few years of DORA being fully implemented, probably. I think it'll be a wait-and-see point on the detail that's required. And then, as you touched on there in terms of timelines, it’ll be interesting to see what timelines fall out of this.

As we know there's the 72 hours with GDPR, but this level of reporting that's required appears to be a level above what GDPR requires. So it'll be interesting to see what timelines the different bodies come up with and require and how well they sit with the companies being required to meet DORA standards.

Shreeji Doshi

And possibly there is an impact on our industry, which is a cyber advisory or cyber consulting business that provides these services, to refine their processes so that they are able to meet the stringent requirements of DORA.

Alistair Purdy

Right. What we're looking to do in my part of the business, which is incident response, is make sure we have that understanding of DORA, make sure we have that understanding of what companies are required to do. So when one of those organisations comes through the door, we understand right from the start that this is an entity that has a DORA compliance requirement.

If they do know what they’re doing, great, we’ll start work with them. If not, we’ll bring in experts like yourself, Shreeji, to help that company understand what their requirements are and make sure that we're doing that in the right timeframes with the right level of detail.

Shreeji Doshi

Great. Another interesting requirement that I've seen, but currently it’s at a voluntary level, is of reporting significant cyber threats. DORA goes on to explain what a significant cyber threat could be. In my ideal world this is exactly the kind of requirement I’d have – I would even stick my neck out and say it should have been mandatory, because the theme of this conversation is ‘reducing black swan events’.

And mandatory reporting of any and all significant cyber threats could eventually be beneficial to the entire ecosystem, if that information is transmitted across every organisation within it.

Alistair Purdy

Yeah, definitely. I think the big challenge to get that, as you said, comes from it being on a voluntary basis. What will spur change is organisations understanding that their notifications of what they perceive to be a significant cyber threat isn't going to come back on them.

It's not going to spur the regulator to start knocking at their door and seeing what they're doing. Instead, it will be welcomed as shared intelligence given to strengthen the community and increase collaboration. You know, as part of one the core things that we do with cyber threat intelligence, we build that into the base of everything that we do.

We'd love to see more reporting from organisations that can see threats as they’re emerging, because that not only helps organisations respond, that helps the wider community respond, and it helps secure that entire industry and, by extension, especially with financial services, the digital economy in every country.

Shreeji Doshi

I'm very pleasantly surprised by DORA’s requirements. I really hope incident reporting becomes mandatory. Do you have anything else, Alistair, that you would want to flip to me?

Alistair Purdy

Just to throw one back to you then. From my reading of DORA, it looks like it's trying to push companies towards having the best practices and the best approaches to dealing with cyber security.

Yes, there are all these stringent things around how we'd classify major incidents and how they want organisations to respond to them. You've done a lot more reading on it than I have. What is your overall feeling for the approach? What are the outcomes this DORA regulation wants?

Shreeji Doshi

The intention of the regulator is fairly clear. It wants to ensure that the financial industry, all the participants within the financial industry, are not impacted or are at least less impacted by cyber attacks.

If there is an attack like SolarWinds, there could be huge ramifications for the entire industry. DORA wants to reduce the likelihood and also the impact of such an event happening and these stringent requirements that we see on incident reporting are essentially to address that.

So in my view, the regulator has done a great job. It's a bit too late, but it's great that it is finally catching up.