Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
[ad_1]
New regulations are forcing organizations to take cybersecurity more seriously.
Sean Gladwell | Moment | Getty Images
Tough new European Union rules requiring banks to strengthen their cyber security systems officially come into force on Friday, but many of the bloc’s financial services firms are still not fully compliant.
EU Digital Operational Sustainability Actor DORA, requires financial services companies and their technology providers to harden their IT systems to ensure industry resilience in the event of a cyber attack or any other form of disruption. It entered into force on January 17.
Penalties for violating the new law can be significant. Financial services companies that violate the new rules face fines of up to 2% of annual global profits. Individual executives can also be held liable for violations and face fines of up to €1 million ($1 million).
According to Harvey Jang, chief privacy officer and deputy general counsel of IT giant Cisco, the level of compliance of the new rules by financial services companies is mixed so far.
“I think we’ve seen mixed results,” Zhang told CNBC. “Certainly, more mature-stage companies are looking at this for at least a year — if not longer.”
“We’re really trying to build this compliance program, but it’s very difficult. I think that is the problem. We’ve also seen this with GDPR and other broad pieces of legislation that are open to interpretation — what does compliance really mean? It means different things to different people,” he said.
A lack of common understanding of what qualifies as robust DORA compliance has, in turn, led many institutions to increase security standards to a level that actually exceeds the “baseline” expected of most firms, Zhang added.
Are financial institutions ready?
Under DORA, financial firms will be required to implement rigorous IT risk and incident management, classification and reporting, operational resilience testing, cyber threat and vulnerability information sharing and third party risk management measures.
Firms will also need to assess the “concentration risk” associated with outsourcing critical or important operational functions.
A A survey of 200 UK CIOs commissioned by Orange Cyberdefense.the cyber security department of a French telecommunications company Orangerevealed that 43% of financial institutions in the UK are not yet fully DORA compliant.
This is a concern because, despite the fact that the UK is currently outside the European Union, DORA applies to all financial institutions operating within EU jurisdiction, even if they are located outside the bloc.
“While it is clear that DORA has no legal reach in the UK, organizations based here and operating or providing services to organizations in the EU will be subject to the regulation,” Richard Lindsay, principal consultant at Orange Cyberdefense, told CNBC.
He added that a major challenge for many financial institutions when it comes to achieving DORA compliance is managing their critical third-party IT providers.
“Financial institutions operate in a multi-layered and highly complex digital ecosystem,” Lindsay said. “Tracking and ensuring that all parts of this system are clearly aligned with the relevant elements of DORA will require new thinking, solutions and resources.”
Banks are also putting an increased level of scrutiny into contract negotiations with technology providers because of DORA’s strict requirements, Zhang said.
Cisco’s chief privacy officer told CNBC that he believes there is agreement when it comes to the principles and spirit of the law. However, he added, “any legislation is a product of compromise, and so as it becomes more prescriptive, it becomes complex.”
“The principles we agree with, but any legislation is a product of compromise, and so when they become more prescriptive, it becomes difficult.”
Still, despite the challenges, experts believe it won’t be long until banks and other financial institutions catch up.
“Banks in Europe are already complying with important regulations covering most of the areas covered by DORA,” Fabio Colombo, EMEA head of financial services security at Accenture, told CNBC.
“As a result, financial services institutions already have advanced governance and compliance capabilities, with incident reporting processes and robust ICT risk frameworks in place.”
Risks to IT vendors
IT providers can also be fined under DORA. The rules threaten to levy up to 1% of average daily global revenue for up to six months.
“These sanctions are necessary,” Brian Fox, chief technology officer at supply chain management software firm Sonatype, told CNBC. “They are a powerful motivator that pushes leaders to take compliance and operational sustainability more seriously than ever.”
Orange Cyberdefense’s Lindsay said there is a long-term risk that financial services firms will eventually outsource their critical security functions and services.
“Advances in technology can allow financial institutions to bring services back in-house, which simplifies this aspect and reduces the risk of non-compliance,” he said.
“In any case, existing contracts will need to be updated to ensure that their performance is contractually agreed and monitored between the organization and the provider,” Lindsay added.
At the same time, there are several other cybersecurity-focused regulations that organizations must agree to, such as Network and Information Security Directive 2, or NIS 2and the Cyber ​​Resilience Act. The ex entered came into force in October.
“As with any new regulation, there will certainly be a transition period as organizations adjust to the new requirements and standards,” Sonatype’s Fox told CNBC. “This is the start of a long journey to improve software security and resilience.”
[ad_2]
Source link
