Devising data protections ahead of DORA

The EU’s Digital Operational Resilience Act (DORA) will apply as of 17 January 2025. Andrew Carr at Camwood outlines its purpose and the requirements it will impose on financial services organisations.

The financial sector is more reliant than ever on technology to deliver new products and services and to differentiate in a crowded market. While essential for digital transformation and remaining competitive, it opens up new opportunities for cyber-hackers. The World Economic Forum has warned of the funding challenges, reputational damage and even disruption to other critical services that could result from an attack, and the EU is responding.

17 January 2025 will mark the application of the Digital Operational Resilience Act (DORA). As a framework that prioritises prevention, its primary aim is to strengthen the IT security of financial entities, including banks, insurance companies and investment firms. It applies to firms in the EU, but UK-based entities that operate in EU markets as well.

With the date fast approaching, it’s time for organisations to run through their checklists and make sure everything is in place ahead of time. Near the top of that list must be their data and how it is currently being managed.

The scope of the regulation

The DORA regulation covers areas including ICT risk management, digital operational resilience testing, ICT-related incident reporting and oversight of critical third-party providers. Information sharing for the purpose of exchanging data and intelligence on cyber-threats is also prominent in its scope.

Organisations that fail to ensure compliance can be fined up to 2% of their total annual worldwide turnover or up to 1% of the company’s average daily turnover worldwide.

But to be able to meet the criteria, such as reporting cyber-incidents in a timely manner or sharing relevant intelligence, firms must know exactly what data they have. They also need to know where the data resides, who’s accessing it, when it was last accessed and even the type of storage it’s sitting on.

And that’s not the simplest task for some organisations. Many will have a mixture of data hosted on-premise, in the cloud and a mix of both, resulting from the service delivery models they have adopted and evolved over many years.

Data sprawl and risk

So much data is residing in places that are not necessarily known to a financial organisation. Not because of any malicious intent, but because of data sprawl over the last 15-20 years in on-premise, cloud and hybrid deployments. The Flexera 2024 State of the Cloud Report asserts that organisational use of multi-cloud is now as high as 89%.

Not only does this issue make it extremely difficult to find specific data for information sharing, but it also poses security risks that threaten compliance with the DORA regulation. There could be 15 duplicates of the same sensitive document stored in 15 different places. Not only is that wasteful in terms of storage, but it greatly improves the probability of a bad actor being successful when attempting to maliciously access that data.

Another key aspect of the regulation is mitigating the risk posed by suppliers. There may be strategic partners who need to access a financial firm’s systems, but it’s imperative that they only use the data relevant to them, and it needs to be easily obtainable. In the event of supplier failure, can the financial firm in question easily access a register of service providers to initiate an alternative strategy? Data needs to be organised and readily available for them to answer ‘yes’ to this question.

Ensuring data fitness

Bringing data into a workable structure for DORA compliance requires a few key steps. First is to devise a data audit or assessment that identifies where data is located, the storage it sits on, how long it should be retained for, when it was last accessed and so on. It’s an ideal way of seeing a snapshot of the data situation and identifying if anything needs to change before January.

From there, any fragmented data that is sitting in obscure locations can be moved to more logical locations and also clearly tagged. Users then know exactly what each piece of data is for sharing or reporting purposes. Any duplicate documents can be identified and removed to free up space, reduce storage costs and reduce cyber-risks.

Access controls and governance can then be applied at the final stage, ensuring that only authorised personnel, whether internally or the wider supply chain, can access certain data. 73% of leaders and employees have previously admitted that a lack of trust and data overload have stopped decision-making. With data in the right place, leaders and staff can make the right decisions with accurate and trusted insights.

Fortifying operations ahead of time

As the financial sector leans heavily on technology to drive innovation, it must also navigate the accompanying risks. The upcoming implementation of DORA, and its stringent requirements covering ICT risk management, operational resilience testing, incident reporting, and third-party oversight, require firms to proactively assess and reorganise their data management practices to ensure compliance.

Data sprawl remains a critical challenge, but thorough audits and structured data management can mitigate risks and enhance operational resilience. By identifying data locations, eliminating duplications and implementing stringent access controls, financial organisations can ensure compliance and fortify their operations against cyber-threats at the same time.

Andrew Carr is the Managing Director of Camwood

Main image courtesy of iStockPhoto.com and arsenisspyros