Published : 12 hours ago, on
Author: Shilpa Doreswamy, Sector Director of Retail Banking, GFT
The financial services industry is increasingly grappling with the critical issue of downtime. In today’s digital age, even a brief outage can have severe repercussions, costing banks almost $5 million an hour, discounting any penalties and fees.
Preventing IT outages within financial institutions is the main driver behind The European Union’s Digital Operational Resilience Act (DORA). The Act provides an intricate framework of regulatory requirements that financial institutions must follow to strengthen their digital resilience and ensure continuity of services during disruptions.
For UK financial firms operating in the EU, they will be required to strategically plan and bolster security measures to meet DORA’s stricter resilience requirements, which focuses on IT risk management; incident reporting; operational resilience testing; and third-party risk management.
As financial institutions in the UK prepare for the incoming regulation in January 2025, key considerations must be made regarding ongoing digital projects to ensure compliance with DORA.
Strengthening Cybersecurity Infrastructure
Acknowledging the rising threat of sophisticated cyberattacks on financial institutions, DORA places a high emphasis on cybersecurity as a cornerstone of operational resilience. As financial institutions become increasingly reliant on cloud-based services, big data and artificial intelligence (AI), the risk landscape becomes all the more lucrative, necessitating stronger cybersecurity measures.
This makes it crucial for businesses in the financial services sector to upgrade their cybersecurity frameworks to include real-time threat detection, incident responses, and advanced data encryption technologies. This can also involve deploying AI-driven solutions capable of monitoring systems continuously and responding to threats autonomously.
One of the gaps in current resilience practices is that many organisations are still struggling to maintain adequate cybersecurity defences despite being faced with increasingly complex cyber threats. These shortcomings can be addressed by integrating AI and other emerging technologies, which can help adapt businesses to new risks by automatically identifying potential vulnerabilities before they are exploited.
Investments should also be made into other preventative measures such as stronger encryption mechanisms, improved access controls, and real-time monitoring tools that can promptly detect and isolate breaches, thereby reducing the likelihood of large-scale disruptions.
Improving Third-Party Risk Management
One of the rigorous requirements of DORA is the management of third-party risk, given the heavy reliance of financial institutions on external vendors for critical services such as cloud computing, payment processing, and data analytics. The risks associated with these third parties, particularly in relation to cybersecurity and service continuity, can be substantial as exemplified by the various cyber breaches against banks and financial institutions. More often than not, such breaches are borne out of exploiting vulnerabilities in the security postures of a third-party provider.
To ensure compliance with DORA, financial institutions need to conduct thorough due diligence and risk assessments before onboarding new vendors and establishing clear contractual obligations regarding operational resilience and cybersecurity. Additionally, it is crucial for institutions to categorise vendors based on the criticality of the services they provide, with higher-risk providers subject to more stringent monitoring and control. Establishing well-defined incident response plans with vendors is an equally important requirement of DORA, as this ensures coordinated actions during crises or disruptions within any financial institution.
Another critical adjustment is the continuous monitoring of third-party vendors’ performance. To achieve this, financial institutions should deploy automated tools that track vendors’ operational status in real time, enabling prompt responses to any emerging risks. Penetration testing and scenario-based testing should also become a routine part of third-party management as this provides assurance that vendors are prepared to handle any potential disruptions
Upgrading Legacy Systems
Another key challenge, which many financial institutions face, is dependence on outdated legacy systems. These systems are often difficult to secure and integrate with modern technologies, making them vulnerable to cyberattacks and operational disruptions. DORA mandates that financial institutions have robust digital infrastructures that can withstand operational stresses, cyber threats and technological failures.
To meet these requirements, ongoing digital projects need to prioritise the modernisation of core banking systems. This can include migrating to cloud-based solutions that offer better scalability, security and resilience compared to traditional on-premise systems. However, it should be noted that transitioning to cloud technologies needs to be done carefully and with a trusted partner, to make certain there is minimal disruption to operations, and compliance with DORA’s stringent data protection and resilience standards is maintained.
Moreover, financial institutions can invest in automation and AI tools to streamline their operations and improve the overall robustness of their systems. Automation can play a crucial role in mitigating the risks associated with legacy systems by optimising processes, reducing human errors, and ensuring continuity of services during disruptions.
Enhancing Operational Resilience
Operational resilience goes beyond disaster recovery; it encompasses an institution’s ability to adapt and respond to prolonged disruptions, whether they stem from cyberattacks, pandemics, or geopolitical events. Compliance with DORA requires financial institutions to maintain business continuity and disaster recovery plans (BCPs) that are regularly tested and updated to meet new and evolving threats.
Financial institutions also need to ensure that their operational resilience strategies are fully integrated across all levels of the organisation. This includes developing agile continuity plans capable of addressing a broad range of scenarios, from minor disruptions to major crises, regular stress testing, and scenario planning as these are critical to identifying potential weaknesses in the institution’s resilience framework. These tests should simulate both market shocks and operational failures, providing insights into the strength of the institution’s operational systems under extreme conditions.
AI and advanced analytics can also be leveraged to enhance stress testing capabilities. By simulating a variety of risk scenarios, financial institutions can better understand how their systems will perform under pressure, allowing for more informed decision-making when crafting operational resilience strategies.
Improving Regulatory Reporting and Compliance Monitoring
DORA sets stringent standards for regulatory reporting and compliance monitoring. Financial institutions must ensure that their reporting systems are accurate, timely, and capable of handling the complexity and volume of regulatory requirements. This can be made easier, of course, through the use of automation, in addition to significantly improving efficiency, reducing human error, and ensuring compliance with evolving regulatory frameworks.
When it comes to ongoing digital projects, real-time data analytics and automated reporting tools should be incorporated to streamline compliance processes. By using AI and robotic process automation (RPA), financial institutions can automate the collection, analysis, and reporting of data needed for regulatory filings, improving the speed and accuracy of submissions.
Moreover, real-time monitoring of key operational metrics can also help institutions maintain compliance with DORA by providing timely insights into their resilience and risk exposure. This continuous monitoring will allow institutions to respond more swiftly to regulatory inquiries and adapt to changes in the regulatory landscape.
In conclusion, as financial institutions move deeper into the digital age and integrate newer technologies in their operations, compliance with the Digital Operational Resilience Act (DORA) does not just remain a regulatory requirement, rather it becomes a vital step toward safeguarding the sector against an increasingly complex risk landscape.
Financial institutions that prioritise the adjustments stated above, will not only comply with DORA but also enhance their capacity to anticipate and respond to emerging threats, ensure continuity and maintain customer trust. As the financial ecosystem becomes more complex and interconnected, resilience will be the foundation of maintaining a competitive edge in the digital age.