‘Resilience’ has become the motto of the financial services industry (or one of its mottos, anyway). Developing that resilience is, however, easier said than done.
We know that cybersecurity is becoming increasingly difficult for financial sector organisations to manage on their own, as threat actors are continuously developing the skills and resources needed to disrupt the global economy.
It has never been more important for the industry to leverage detailed insights and experience from a team driven by threat intelligence with an unparalleled experience of financial services organisations at all levels, from small investment houses to central banks. Even so, when we’re performing incident response work, we still see clients who have not considered their cybersecurity in any depth – let alone focused on it.
Instead, they have depended on new (AI-driven) technology to function without any sort of human oversight. In these cases it seems clear that they have assumed that there would never be any need to create an incident response process or develop plans for incident recovery.
The view from the UK
A joint paper from the Prudential Regulation Authority (PRA), the Financial Conduct Authority (FCA) and the Bank of England established rules and guidance on improving operational resilience in the financial services sector. Published in 2021, the paper set a strict deadline of 31 March 2025 by which affected organisations must demonstrate a high level of operational resilience.
By this date, these firms are required to show that they have performed mapping and testing that proves they will “remain within impact tolerances” for each of their core functions and services. Most importantly, this testing is required to confirm vulnerabilities in the operational resiliency of the UK’s financial services organisations.
Cybersecurity will form a key part of all operational resilience planning. It should be regularly tested as systems, processes, technologies, and the threat landscape itself develops and changes.
Testing times for European banks
As we write this edition of DORA Digest, the European Central Bank (ECB) is conducting its first-ever round of cybersecurity stress testing on 109 banks. The exercises will consider the ability of banks to recover from a theoretical cybersecurity attack that disrupts their operations.
A smaller number of banks (28 in total) are facing an additional and enhanced assessment that’s intended to provide a representative view of the banking sector across Europe.
Themes the ECB is particularly interested in include:
- supply chain risk and third-party compromise;
- Distributed Denial of Service (DDoS) attacks; and
- cloud security incidents.
It’s worth noting that all three themes are relevant to almost all organisations, whether they are part of the financial services sector or not.
The results of this testing will be released later this year. The findings are likely to be keenly scrutinised by other financial services organisations across the EU, as they embark on their own compliance journeys towards DORA’s 2025 deadline.
Key takeaways
- Remember that conducting an effective cybersecurity stress test requires planning and the inclusion of several crucial elements without which the exercise will be half-baked or largely useless.
- Extensive and relevant insights from the threat landscape in which your organisation operates and the known risks to your industry should be accounted for when designing your tests.
Context is key, so beware of poor impersonations of threat intelligence. It is alarming how often our team comes across “threat intelligence” that is really just a context-free list of common vulnerabilities and exposures (CVEs). Adding context to technical findings or observations allows decisions around business actions to be made based on the risk appetite of business stakeholders.
Without the context it is impossible to provide an answer to the crucial question – ‘So what?’ Context means:
- knowing what threat actors are doing;
- how they are operating; and
- who they are targeting.
Now what?
Moving forward, all organisations should incorporate a cybersecurity stress testing approach. They should seek to confirm how effective and robust their cybersecurity controls and existing plans truly are. Testing and validating controls, approaches, plans and conducting modelling across a combination and range of scenarios will not only drive engagement with stakeholders, but also enable businesses to focus on areas which matter to their stakeholders and not based on the “gut feel” of individual employees.
Thomas Murray and the finance sector
The complexities, dependencies, and nuances of how the financial services sector operates means that intimate knowledge of the industry is required when working with third parties. For 30 years, Thomas Murray has been trusted by the global financial services industry to identify and manage risk. We leverage our experience and expertise to work with financial services organisations to improve their operational resilience.
DORA regulation applies in:
Subscribe to DORA Digest and stay up to date with the key issues
and developments unfolding as the countdown to DORA begins.
Are you ready for DORA?
Use our free, easy-to-follow Readiness Toolkit to determine how close your organisation is to meeting all the Digital Operational Resilience Act (DORA) requirements. Once completed, we’ll send you a free report outlining how prepared you are for DORA. You can use our output to create an action plan to achieve compliance by 17 January 2025.
We safeguard clients and their communities
Petroleum Development Oman Pension Fund
“Thomas Murray has been a very valuable partner in the selection process of our new custodian for Petroleum Development Oman Pension Fund.”
ATHEX
"Thomas Murray now plays a key role in helping us to detect and remediate issues in our security posture, and to quantify ATHEX's security performance to our directors and customers."
Northern Trust
“Thomas Murray provides Northern Trust with a range of RFP products, services and technology, delivering an efficient and cost-effective solution that frees our network managers up to focus on higher Value activities.”