What is DORA and ICT
Governcnace?
There are many laws and regulations
that affect many global business entities.
International banking and financial firms face many regulatory hurdles
depending on the jurisdiction of where the office and transactions are
occurring, thus causing chaos on which law may take precedence over another
regulation. Cybersecurity laws are no
exception, as it has been demonstrated that there are differing laws on that
subject that range over the 50 states and territories in this country. Compound that with many of the international
regulations and directives from the multitude of countries where these firms do
business. The European Union is one of
the parliamentary bodies that has been at the forefront in the creation of
cyber laws that pertain to security and privacy. The most well known one is the General Data
Protection Regulation or GDPR[i]
as it is commonly referred. This
directive has been laid out with clear concise articles that define the
expectations that should be done to protect consumers, as opposed to the
vagueness in the FTC Article 5(a).
Recently, a new proposal called the Digital Operational Resilience Act
or DORA has been proposed and is expected to become law and enforceable in
2024. The DORA legislation is the nexus
event for the international financial industry in which will usher in new
higher standards.
The DORA legislation provides
guidance to use the information and communication technology (ICT) guidelines
per Final Report on Guidelines on ICT and Security Risk Management[ii]. The legislation is very similar in nature to
the NYDFS Cybersecurity requirements for the financial services[iii]
providing subject, scope and definitions for governance, strategy, and
third-party services. The ICT guidance is
not specific to the financial industry, but it is more similar to the guidance
often referred to in the NIST SP 800 and NIST SP 1800 Series documents. The ICT has a well-defined risk management
framework, which is very similar to NIST Special Publication 800-37[iv]. This is the basic baseline for what DORA and
ICT will be to US based financial institutions that have operations within the
European Union.
RISK MANAGEMENT
Will this be a challenge for US
based financial services firms? While
the larger companies should not have an issue with compliance, there will be a
number of the smaller firms that will face significant challenges with
adherence to the new DORA legislation.
Some of the common factors are that the majority of the firms already
have to maintain compliance with US Federal and state laws that pertain to
financial industry but also publicly traded companies and other industry
mandated standards. For instance, if a
company has anything to do with any type of a credit or debit card, as most
financial companies do, then there is the requirement to adhere to the Payment
Card Industry standards which are published as the PCI-DSS requirements[v].
The PCI-DSS standards provide for data security that is in motion and for data
at rest, security controls, cryptography, monitoring and logging along with
many more governance items. Risk
Management is the key component of the ICT Directive part of DORA. There is a requirement to have a formalized
plans that are disaster recovery and business continuity, along with requirements
to set up system tools that identify risk and provide for measures to prevent
and protect any issues that might arise.
Another covenant is the requirement that management ensures that the
staff is properly trained in the control governance to support the operations
policies and security risk management processes and procedures. This requirement has a provision that this
must be allocated for in the budget that all staff members receive this
training on an annual basis. This also
makes management accountable for creation, approval, and oversight if all
strategy related to security risks and cybersecurity. This closely parallels some of the same
requirements that are part of the NYDFS Cybersecurity Requirements. However, a better approach to meeting and
exceeding the requirements of the DORA and ICT Directives would be to model the
program after NIST SP 800-37r2: Risk Management Framework for Information
Systems and Organizations: A System Life Cycle Approach for Security and
Privacy (nist.gov)[vi]. This similarities in these two documents call
for the systematic identification of risk and continuous reassessment of any
factors, allowing for the calibration of plans, policies, procedures, and tool
modifications. In a Bank of England
paper on if a cyber attack could cause impact to the financial sector, risk
mitigation is the importance of trust, integrity, availability, and
recoverability was stressed in this graphic.[vii]
PRIVACY
One of the other concerns is that
if the tenets of the Gramm-Leach-Bliley Act[viii]
, specifically the safeguard rule for financial institutions would cause any
conflicts with DORA. There are parallels
that can be drawn to the GLBA and DORA where the wording is slightly misaligned,
but the meaning is still there. While
the GLBA uses the term privacy of its customers, and the DORA legislation uses confidentiality
of data. The spirit of the meaning is
that the integrity, security, and confidentiality of customer financial
information must be maintained within any information system maintained by the
financial institution or any third-party provider. The goal is to achieve a trust in the system
that all monies and other financial instruments be kept secure and safe from
loss. Privacy and confidentiality are
often used interchangeably in cybersecurity doctrine, there are small
differences in the vernacular.
Third-Party Providers
An attack on the supply chain is a
softer target than the defenses that a financial firm would have in place. The institutions that rely on these
third-party services and vendors have historically been a huge attack surface
to get a foothold into the enterprise.
An example would be the HVAC vendor used by the merchant, Target, where
a hostile entity was able to breach them via links that were meant to modify
and monitor the air conditioning and heating units in all the stores. Under DORA, the European Supervisory
Authorities will have the authority to audit, inspect and issue fines for any
violations. The expectation is that
these suppliers and vendors will have to meet at least a SOC2-type standards.[ix]
The threat of a supply chain attack is a risk that must be addressed, and a
focus be made to provide protections.[x]
Incident Reporting
Under the ICT Directive, the
incident reporting would be one of the strictest requirements of reporting any
breach of private or confidential data to any that has been affected by the
compromise along with proper regulatory agencies. This is something that is similar to many US
State disclosure of breach laws. The strictest
law that most US based financial institutions that are required to comply with
is the California Consumer Privacy Act[xi]. Details on how this information and the
timeliness of the notification of the breach disclosure is not specific but it
is expected to be done at the earliest reasonable time.
Intelligence Sharing
Anytime there is a mention of
information or intelligence sharing amongst companies, there will be warnings
about the possible accusations of collusion triggering talks of the Sherman
Anti-Trist Act[xii]. This would not have to be the cause because
this data being shared. The CISA
Financial Services Sector Specific Plan[xiii]
actively endorses sharing information to create awareness across the
industry. The coordinated effort should
help strengthen the industry as a whole and thwart attempts by hostile actors
that intend to commit nefarious acts against consumers.
Business Continuity
The DORA legislation enforcement of
the ICT Directive calls for a formal business continuity plan that is to be
tested and reviewed annually. The
expectation is that all staff should know their responsibilities and duties in
the event of an event that could cause an interruption to the firm but would
need to cause minimal disruption to consumers.
It is of paramount importance that customers have the ability to access
their funds.
Conclusion
The DORA legislation and ICT
directive on cybersecurity should have a minimal affect on the way US based
financial institutions conduct business within the European Union borders. This will actually create a uniform law with
requirements that will be simpler to follow than all of the individual countries’
rules and regulations. Most of the
larger institutions such as the large banks and brokerage houses already have
the infrastructure that complies with these requirements based on many of the
laws they are already subjected. The
firms, such as smaller brokerage houses and crowd funding startups are the ones
that are going to face the most stringent challenges trying to meet the
requirements as they face the increasing costs for procuring the expertise and
equipment to be able to adhere to these laws.
The additional expenses of required audits and penetration tests can be
a substantial hit to smaller institutions cost of doing business. This would be a significant barrier of entry
for doing business in the European Union and all of the other countries that
tend to adopt their laws. Although, this
could limit competition in the EU, the overall effect would be to protect
consumers that utilize the financial institutions to issue & trade stock,
provide loans and handle funds in the most stable and secure way possible.
[i] General Data Protection Regulation (GDPR) –
Official Legal Text (gdpr-info.eu) https://gdpr-info.eu/
[ii] Guidelines
on ICT and security risk management | European Banking Authority (europa.eu) https://www.eba.europa.eu/regulation-and-policy/internal-governance/guidelines-on-ict-and-security-risk-management
[iii] Cybersecurity_Requirements_Financial_Services_23NYCRR500.pdf
https://www.governor.ny.gov/sites/default/files/atoms/files/Cybersecurity_Requirements_Financial_Services_23NYCRR500.pdf
[iv]
NIST Special Publication 800-37 Risk
Management Framework for Information Systems and Organizations: A System Life
Cycle Approach for Security and Privacy (nist.gov) https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf
[v] PCI_DSS_v3-2-1.pdf
(pcisecuritystandards.org) https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf?agreement=true&time=1625337780917
[vi] Risk
Management Framework for Information Systems and Organizations: A System Life
Cycle Approach for Security and Privacy (nist.gov) https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf
[vii] Could
a cyber attack cause a systemic impact in the financial sector?
(researchgate.net) https://www.researchgate.net/profile/Kim-Kaivanto/publication/330324082_Could_a_Cyber_Attack_Cause_a_Systemic_Impact_in_the_Financial_Sector/links/5e67ae7992851c7ce05ad327/Could-a-Cyber-Attack-Cause-a-Systemic-Impact-in-the-Financial-Sector.pdf
[viii]
Gramm-Leach-Bliley Act https://www.congress.gov/106/plaws/publ102/PLAW-106publ102.pdf
[ix] EU's
DORA regulation explained: New risk management requirements for financial firms
https://www.csoonline.com/article/3596881/eus-dora-regulation-explained-new-risk-management-requirements-for-financial-firms.html
[x]
P.17 The Ethics of Cybersecurity, Markus
Christen, Bert Gordijn, and Michele Loi https://library.oapen.org/bitstream/handle/20.500.12657/47324/9783030290535.pdf?sequence=1#page=111
[xi]
California Consumer Privacy Act https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?division=3.&part=4.&lawCode=CIV&title=1.81.5
[xii] Sherman
Anti-Trust Act - [USC05] 15 USC CHAPTER 2, SUBCHAPTER I: FEDERAL TRADE
COMMISSION (house.gov) https://uscode.house.gov/view.xhtml?req=granuleid%3AUSC-prelim-title15-chapter2-subchapter1&edition=prelim
