DORA Digest June 2024

Instead, they have depended on new (AI-driven) technology to function without any sort of human oversight. In these cases it seems clear that they have assumed that there would never be any need to create an incident response process or develop plans for incident recovery.  

The view from the UK  

A joint paper from the Prudential Regulation Authority (PRA), the Financial Conduct Authority (FCA) and the Bank of England established rules and guidance on improving operational resilience in the financial services sector. Published in 2021, the paper set a strict deadline of 31 March 2025 by which affected organisations must demonstrate a high level of operational resilience.

By this date, these firms are required to show that they have performed mapping and testing that proves they will “remain within impact tolerances” for each of their core functions and services. Most importantly, this testing is required to confirm vulnerabilities in the operational resiliency of the UK’s financial services organisations.

Cybersecurity will form a key part of all operational resilience planning. It should be regularly tested as systems, processes, technologies, and the threat landscape itself develops and changes.  

Testing times for European banks 

As we write this edition of DORA Digest, the European Central Bank (ECB) is conducting its first-ever round of cybersecurity stress testing on 109 banks. The exercises will consider the ability of banks to recover from a theoretical cybersecurity attack that disrupts their operations.

A smaller number of banks (28 in total) are facing an additional and enhanced assessment that’s intended to provide a representative view of the banking sector across Europe.

Themes the ECB is particularly interested in include:

• supply chain risk and third-party compromise;
• Distributed Denial of Service (DDoS) attacks; and
• cloud security incidents.

It’s worth noting that all three themes are relevant to almost all organisations, whether they are part of the financial services sector or not.  

The results of this testing will be released later this year. The findings are likely to be keenly scrutinised by other financial services organisations across the EU, as they embark on their own compliance journeys towards DORA’s 2025 deadline.  

Key takeaways 

• Remember that conducting an effective cybersecurity stress test requires planning and the inclusion of several crucial elements without which the exercise will be half-baked or largely useless.
• Extensive and relevant insights from the threat landscape in which your organisation operates and the known risks to your industry should be accounted for when designing your tests.

Context is key, so beware of poor impersonations of threat intelligence. It is alarming how often our team comes across “threat intelligence” that is really just a context-free list of common vulnerabilities and exposures (CVEs). Adding context to technical findings or observations allows decisions around business actions to be made based on the risk appetite of business stakeholders.  

Without the context it is impossible to provide an answer to the crucial question – ‘So what?’  Context means:

• knowing what threat actors are doing;
• how they are operating; and
• who they are targeting.

Now what?

Moving forward, all organisations should incorporate a cybersecurity stress testing approach. They should seek to confirm how effective and robust their cybersecurity controls and existing plans truly are. Testing and validating controls, approaches, plans and conducting modelling across a combination and range of scenarios will not only drive engagement with stakeholders, but also enable businesses to focus on areas which matter to their stakeholders and not based on the “gut feel” of individual employees.  

Thomas Murray and the finance sector

The complexities, dependencies, and nuances of how the financial services sector operates means that intimate knowledge of the industry is required when working with third parties. For 30 years, Thomas Murray has been trusted by the global financial services industry to identify and manage risk. We leverage our experience and expertise to work with financial services organisations to improve their operational resilience.