DORA: A Strategic Approach to Cybersecurity in Capital Markets
DORA: A Strategic Approach to Cybersecurity in Capital Markets
Tackling a key element to the DORA framework
As digital transformation of the capital markets industry accelerates, the exposure of financial institutions (FIs) to the risk of cyber-attacks naturally increases. At the same time, the sophistication of cyber-attacks is growing in line with technological advancements, with many cyber-attacks using artificial intelligence and complex code to penetrate their victims’ networks and applications, which in some cases may be comparatively outdated and ill-equipped to deal with their threat.
To be clear, a cyber-attack refers to any malicious or deliberate attempt by an individual or organisation to electronically breach the information systems of another party. Cyber-attacks can come in several different forms, such as phishing, malware and ransomware attacks.
As the figure below shows, cyber-attacks have more than doubled since the Coronavirus pandemic.
The financial services industry is uniquely exposed to the risk from cyber-attacks. Given the large amounts of data and financial transactions that financial firms handle, they are often a target for cyber criminals. In fact, cyber-attacks on financial firms account for roughly one-fifth of the global total, with banks being most exposed to cyber-attacks out of all financial services firms. The potential consequences of such attacks include undermining trust in financial institutions and disrupting critical services, which could leave to significant reputational and financial costs, with major attacks potentially costing some firms more than $1 billion.
With this in mind, it is essential for financial institutions globally to develop a robust cybersecurity strategy that minimises the potential impact of disruption from cyber-attacks. Specifically, the International Monetary Fund (IMF) recommends four key focus areas for firms to consider when bolstering their cybersecurity defences:
Cybersecurity Risk Assessment: Periodically assessing the cybersecurity landscape and identifying potential systemic risks from interconnectedness and market concentrations, including from third-party service providers.
Governance and Maturity: Encouraging cyber “maturity” among financial sector firms, including board-level access to cybersecurity expertise. More proficient cyber-related governance could reduce cyber risk.
Cybersecurity Hygiene: Improving cyber hygiene of firms—that is, their online security and system health (such as antimalware and multifactor authentication)—and training and awareness.
Incident Management and Information Sharing: Prioritising data reporting and collection and recording of cyber incidents and sharing information among financial sector participants to enhance their collective preparedness.
Given the increased ubiquity and potency of cyber-attacks, it is unsurprising that cybersecurity has become a top priority for financial regulators. Regulatory frameworks are taking a more nuanced and technical approach toward cyber-attacks as they look to cover all bases when it comes to dealing with their increased sophistication. This is giving firms an impetus to implement more robust cybersecurity frameworks.
The Digital Operational Resilience Act (DORA), effective from January 2025, mandates strict resilience standards for digital operations, including robust cybersecurity measures, incident reporting, and risk management frameworks. In particular, in-scope firms must classify the significance of cyber threats based on the criticality of the services at risk, including the financial entity’s transactions and operations, number and/or relevance of clients or financial counterparts targeted and the geographical spread of the areas at risk.
GreySpark believes this calls for in-scope firms to rethink their cybersecurity frameworks, and make necessary structural and operational changes, which may include:
Cybersecurity Risk Management: Implementing response and recovery protocols along with business management strategies, encompassing risk classification, monitoring, documenting and reporting.
Cybersecurity Expertise Enhancement: Increase cybersecurity expertise among personnel either through training or outsourcing. There is an emphasis on requiring subject matter experts with a deep understanding of DORA to implement necessary cybersecurity measures, to help firms achieve compliance and become resilient against cyber threats.
Adopting Third-Party Automated Solutions: Adopting third-party technological solutions for managing cyber incidents and reporting them to the authorities promptly. Firms are also encouraged to use automated solutions for efficient information sharing with other institutions, as well as establishing internal and external communication mechanisms. Large firms can suffer billions of hacking attempts every day, so a solution that is fit-for-purpose in terms of reporting and data management is a prerequisite.
In summary, by adopting a proactive and dynamic approach to cybersecurity, firms not only meet the demanding requirements of DORA, but can also enhance their operational resilience against cyber disruptions. This journey is complex and demanding, but with strategic focus, firms can navigate these challenges successfully, safeguarding their operations and maintaining their competitive edge in the digital era.
Standby for more information on developing a robust incident reporting framework, with regards to DORA, in the coming weeks.