The Digital Operational Resilience Act (DORA) is a new European regulation designed to fortify the cybersecurity landscape and ensure financial firms can effectively manage digital risks.
Coming into effect in January 2025, financial entities have a matter of months to ensure their cybersecurity capabilities align with a number of new DORA requirements such as threat intelligence and cyber incident response.
As part of this evaluation process, firms will need to assess if the threat intelligence platforms (TIP) and security orchestration, automation and response (SOAR) technologies they utilise will empower them to achieve and maintain compliance with the upcoming
regulations.
Understanding the impact of DORA
DORA aims to strengthen the security of financial entities like banks, insurance companies, investment firms, and stock exchanges. This helps them achieve cyber resilience in the event of any severe operational disruption.
Applicable to financial entities in the EU and any information and communication technology (ICT) infrastructure that supports them outside the EU, the regulation introduces specific and prescriptive requirements for all financial market participants. Given
the rapidly evolving cyber risk landscape, the resilience measures DORA advocates hold relevance for financial services institutions worldwide.
Placing significant emphasis on ICT risk management, incident reporting, resilience testing, and third-party risk management, DORA aims to strengthen the resilience of financial systems through uniform rules that are applicable in the EU. In relation to
cybersecurity, DORA requires financial entities to implement effective measures to prevent, detect, respond to and recover from cyber incidents.
DORA represents a proactive preparedness and response to the rising frequency and sophistication of cyberattacks.
Getting fit for DORA – understanding the implications for TIP and SOAR
Threat intelligence platforms that operationalize the timely, relevant, and actionable intelligence that enables organisations to identify and mitigate potential risks are the cornerstone of any proactive cybersecurity strategy. Their significance becomes
even more pronounced under DORA.
DORA emphasises the need for comprehensive threat intelligence capabilities that empower financial institutions to better outpace emerging threats. In addition to providing real-time insights into the threat landscape, TIP solutions should also enable organisations
to share threat intelligence and operationalize it among the right teams who can take automated actions to proactively mitigate risk. It should enable organisations to address the full spectrum of threats in one collaborative platform, fostering a more collective
defence approach to combat adversaries.
Similarly, DORA also highlights the importance of rapid and effective response capabilities to minimise the impact of cyber incidents. SOAR platforms enable organisations to simplify and automate their response capabilities, so they can respond to incidents
with greater speed and efficiency. By independently integrating various security tools and technologies, modern SOAR solutions go beyond simply orchestrating incident response; they make it possible for security teams to orchestrate a truly cohesive and well-coordinated
cyber defence. Modern SOAR platforms centralise data analysis, connect the dots between threat intelligence, detection logs, and other internal telemetry to provide comprehensive threat visibility and enable automated actions in security, IT and DevOps tools
from a single platform.
Given the elevated importance of TIP and SOAR platforms, security teams will need to assess if the solutions they use will enable them to adhere to the key requirements of the DORA directive and elevate the strength of their security programme.
Let’s take a look at two key areas.
Incident reporting and response
Article 1 of DORA mandates the timely reporting of significant cyber incidents alongside the voluntary notification of significant cyber threats to competent authorities. It also requires
financial entities to report major operational or security payment-related incidents to the competent authorities.
For optimal resilience, financial firms should ensure their TIP and SOAR platforms feature comprehensive real-time threat intelligence sharing that will reduce the time and effort associated with reporting major incidents to relevant authorities and enhance
how internal security teams collaborate and operationalise intelligence to mitigate against potential risks.
Ideally, they should also look for solutions that empower them to instantly share relevant threat intelligence with other trusted financial entities. This capability will ensure that, should one financial institution encounter a novel malware strain attempting
to exploit vulnerabilities in banking systems, it can distribute insights to other financial entities in a timely way. This would include details on specific indicators of compromise (IOCs) along with any contextual information relating to tactics and potential
impact. All of this supports a wider collective and rapid response that ultimately helps safeguard the entire financial ecosystem.
Resilience testing and assessment
DORA requires financial entities to regularly test and assess their operational resilience, so they can ensure they are well-prepared to handle cybersecurity incidents effectively.
To fulfil this requirement in the most efficient way possible, organisations should use a SOAR platform that enables them to automate repetitive tasks and orchestrate workflows across security functions and not just case management.
Orchestrated incident response is critical to efficiently handle cyber incidents and enable security professionals to coordinate a response across all operational environments. However, for a truly optimised end-to-end capability, these orchestration capabilities
should be independent of specific functions such as case management and incident response. For example, security teams should be able to orchestrate detection and threat intelligence workflows directly. The alternative option – routing every workflow through
case management – is tedious and wastes precious time. Case-independent orchestration simplifies the job of security teams without creating complex challenges for scale and flexibility. It also allows for efficient collection of threat intelligence and internal
logs and telemetry, connecting the dots and automating actions.
Financial organisations that utilise DORA platforms with this global orchestration will be able to seamlessly automate and orchestrate all security tools and technologies across all their deployment environments. This includes machine-to-machine (M2M), machine-to-human
(M2H) and human-to-machine interactions (H2M).
Moving forward with confidence
As the EU moves towards implementing DORA, financial services entities must ensure they are prepared to meet all requirements outlined in the legislation. Ideally, they should look to work strategically with solution providers that offer TIP and SOAR products
aligned with the key features and requirements of DORA. All of this will ensure they can fortify their digital resilience, simplify how they maintain compliance, and institute a more proactive defence posture against evolving cyber threats.