When asked why he robbed banks, Willie Sutton, one of the first fugitives named to the U.S. FBI’s most wanted list, reportedly replied, “Because that’s where the money is.”
As any infosec professional working for a financial institution can tell you, loads of cybercriminals will likely agree with that sentiment.
Banks and similar organizations are no stranger to cyber threats. 2023 data breach cost research claims that financial institutions lose $5.9 million per data breach; 28% higher than the global average. The expected financial gain and large attack surface make this type of organization an extremely attractive target for cybercriminals.
In this global landscape, the Digital Operational Resilience Act (DORA), a new multi-nation regulation impacting financial institutions in the European Union (EU), should come as no surprise. Here’s the lowdown on this new law and what it’s designed to accomplish.
What Is DORA?
The DORA is a multi-country regulation that applies to all financial institutions in the EU, including banks, credit unions and even cryptocurrency service providers. It also applies to any third-party vendor that provides those institutions “information and communication technology” (ICT for short) tools such as cloud storage and data analytics.
The regulation came into effect in January 2023, and compliance will be enforceable starting in January 2025.
What Does It Mean?
The regulation lays out technical requirements for financial institutions and third-party providers across multiple domains, including incident reporting, business continuity and disaster recovery. These institutions also need to demonstrate how quickly they could recover from a potential cyberattack.
The overall goal is to reduce risk associated with ICT. Banks and similar entities make the world run, so European regulators want to ensure that these organizations are as risk resilient as possible. An EU press release puts it this way:
“DORA creates a regulatory framework on digital operational resilience whereby all firms need to make sure they can withstand, respond to and recover from all types of ICT-related disruptions and threats. These requirements are homogenous across all EU member states. The core aim is to prevent and mitigate cyber threats.”
Similar to the General Data Protection Regulation (GDPR), the EU-focused DORA has the potential to impact organizations all over the world. Remember how it applies to third-party vendors that supply ICT to banks? That means the likes of Amazon, Microsoft, Google and IBM as ICT providers will have to meet these same technical requirements.
Article 13 of DORA Requires Security Awareness Training
DORA shares another important similarity with the GDPR: explicit mention of the importance of relevant training programs delivered to employees. Specifically, Article 13, Section 6 of the regulation calls out the need for “compulsory” modules on ICT topics as part of a security awareness training program. We’ll let the regulation speak for itself:
“Financial entities shall develop ICT security awareness programmes and digital operational resilience training as compulsory modules in their staff training schemes. Those programmes and training shall be applicable to all employees and to senior management staff, and shall have a level of complexity commensurate to the remit of their functions.”
In 2024, the three “European Supervisory Authorities” that govern financial matters across the EU will produce specific policies that will in turn filter down to EU member nations in the form of shared frameworks.
Once the details are hammered out and the DORA becomes enforceable in 2025, nation-specific regulators will have the power to request that financial institutions take the steps required in the new regulation. Otherwise, fines and other penalties, which each nation will determine, could be in store.
Our Take on DORA and Financial Institution Risk Mitigation
We’re glad to see the EU taking such a strong stance when it comes to risk mitigation in the financial sector, and call out the importance of employee training as part of it. Commentary from our own Jelle Wieringa, a KnowBe4 security awareness advocate, further brings DORA and risk mitigation into the context of the human element:
“The EU-wide regulations and minimum requirements regarding cyber resilience in the financial sector form an important pillar in the organizations' security architecture. However, the scale and increasing complexity of phishing attacks on banks and their customers show that compliance alone cannot provide effective protection.
“Techniques that bypass two-factor authentication are increasingly being used, which increases the risk of compromise enormously. This makes preventative measures to prevent this type of attack even more important. A further pillar of the security strategy should therefore be comprehensive security awareness training. Basically, an attempt is made to test the attention and sensitivity of users using simulated phishing emails. The aim is to achieve an increased awareness of the dangers and the recognition of such attacks. This can greatly reduce the number of successful phishing attacks on an organization.”
Stay tuned this blog for more on DORA and how we at KnowBe4 can help make the training requirement easier to manage for EU financial institutions.
KnowBe4 enables your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.