Building Cyber Resilience: The Cornerstone of DORA Compliance

With the rise in cyberattacks and data breaches, organizations across industries face immense pressure to prioritize cybersecurity and protect sensitive information. Financial institutions, in particular, are responsible for complying with regulatory standards that safeguard the financial system's integrity and, by extension, safeguard all of our economic fortunes.

The Digital Operational Resilience Act (DORA) is one such regulatory framework designed to enhance the cyber resilience of financial institutions operating within the European Union. Introduced in January 2023, with final draft submitted in January 2024, and will apply starting 17 January 2025. Financial entities under regulation include, but are not limited to, institutions responsible for credit, payments, investments, trade, data reporting, insurance, crypto, and crowdfunding.  While DORA is specific to financial organizations operating in the EU, its principles and requirements serve as a valuable guide for all organizations looking to strengthen their cyber recovery capabilities.

The key to DORA compliance is building cyber resilience, which can be defined as an organization's ability to withstand, adapt to, and recover from cyber threats or incidents. This includes:

• Information and communication technology (ICT) Risk Management
• ICT-related incident management, classification, and reporting
• Digital Operational Resilience Testing
• ICT Third-Party Risk
• Information Sharing

Organizations with a focus on the financial sector are increasingly dependent on technology to provide their financial services. To help protect their customers data, and limit the organizations risks throughout the tech supply chain, organizations are required to build resilience against cyberattacks. Failure to adequately implement these standard practices before January 2025 could result in penalties up to 2% of total annual turnover, and 3^rd-party ICT service providers may face fines up to €5 Million.

Back to the Basics

I have spoken with a lot of organizations that are now laser-focused on making sure they are in compliance with DORA by January 2025. We work together to assess their current cyber resilience posture and identify any gaps so they can ensure they can deliver the required recovery points and timelines. In many cases, they were already completing the majority of requirements and just need to ensure they have an end-to-end view of their entire infrastructure, and then go through a tabletop exercise to simulate an attack and make sure they have the correct procedures, reporting, and sharing mechanisms in place. Digital Operational Resilience Testing under DORA Article 24, 25, and 26, provides testing requirements around analysis and end-to-end testing that should be covered through these tabletop exercises.

I am assuming it would come as no surprise if I were to say cyberattacks are on the rise. I could rattle off all the stats and say they are changing and adapting every day. But you are probably living with that reality considering 65% of organizations experienced a successful ransomware attack in the last two years.

When I am talking with organizations about “cyber resilience,” it goes beyond traditional security and disaster recovery measures, such as firewalls and antivirus software, and focuses on building a robust and flexible framework that can effectively respond to and recover from cyberattacks. At the core of what DORA legislation is trying to accomplish is the deep dive into your cyber recovery. Not just can your organization recover… eventually… but are you taking the responsible steps to ensure you are mitigating risks and planning accordingly so that you can recover quickly with minimal damage.

While the DORA legislation is focused on financial entities, the guidance is something that all organizations should consider. If all of this is still feeling overwhelming, then I would recommend our cyber recovery checklist as a starting point to ensure zero doubt in your cyber recovery strategy.

Veritas Recommendations for DORA Compliance

There are a few key sections of the DORA regulations that I recommend organizations use as starting points as they work through their DORA compliance.

 “Financial entities shall implement ICT security policies, procedures, protocols and tools that aim to ensure the resilience, continuity and availability of critical ICT systems with high standards of availability, authenticity, integrity and confidentiality of data.”

Per Article 9, Protection and Prevention, Point 2

This means that organizations need to establish and maintain robust security measures to protect their ICT systems, including:

• Resilience: The ability to withstand and recover quickly from difficulties; ensuring the systems can continue to operate effectively even when under stress or after an attack.
• Continuity: Making sure that services can continue without interruption, even during a disaster or failure.
• Availability: Ensuring that systems and data are accessible when needed by authorized users.
• Authenticity: Verifying that data and transactions are genuine and not tampered with.
• Integrity: Safeguarding the accuracy and completeness of data and processing methods.
• Confidentiality: Protecting sensitive information from unauthorized access and disclosure.

These are a lot of words that all guide organizations to a comprehensive recovery plan. We have been providing this recommendation for many years, with my favorite being “Protect, Detect, Recover,” based on the NIST Cybersecurity Framework (CSF). The framework helps organizations of all sizes to understand, assess,  govern, prioritize, and communicate its cybersecurity efforts. NIST recently released the updated NIST CSF 2.0 in which Veritas had the opportunity to comment during the feedback period.

Protect (Resilience, Confidentiality)

• 3-2-1 Backup Strategy | Read Now
• Immutability |  Learn More
• Air Gaps and Isolation | Access our White Paper
• Refine and Rehearse | Watch Now

Detect (Authenticity, Integrity)

• Anomaly Detection | Watch Now
• Malware Scan | Read More

Recover (Availability, Continuity)

• At Scale, on-prem and/or in cloud | Access the Disaster Recovery Guide
• Clean Recovery | Read More

 “For the purposes of adequately protecting ICT systems and with a view to organising response measures, financial entities shall continuously monitor and control the security and functioning of ICT systems and tools and shall minimise the impact of ICT risk on ICT systems through the deployment of appropriate ICT security tools, policies and procedures.”

Per Article 9, Protection and Prevention, Point 1

This is where the other areas of the NIST framework are important: Identify and Respond. We recommend you break these down into three further steps:

Understand

• Inventory and classification | Read Now
• Incident Response Plan | Learn More

Secure

• Zero Trust Approach | Access the Blog
• Encryption | Watch Now
• Access Controls | Read Now

For the purpose of assessing preparedness for handling ICT-related incidents, of identifying weaknesses, deficiencies and gaps in digital operational resilience, and of promptly implementing corrective measures, financial entities, other than microenterprises, shall, taking into account the criteria set out in Article 4(2), establish, maintain and review a sound and comprehensive digital operational resilience testing programme as an integral part of the ICT risk-management framework referred to in Article 6.”

 Per Article 24: General requirements for the performance of digital operational resilience testing, Part 1

At first, this might be overwhelming, but this DORA requirement is asking financial organizations to pull together all of the requirements of your digital operational resilience planning, and double check it works. This is where you need to prepare by putting your security and recovery plans to the test and identify if there are any gaps. During your yearly testing, you will summarize your findings and document any remediation plans if gaps were identified.

Prepare

• Exercise Recovery plans | Learn More
• Sandboxed/non-disruptive recovery rehearsal | Watch Now

Prioritize Proactive Preparation

The key to success is to plan and automate your recovery plan with your security teams. Then practice, practice, practice. If you have a playbook and know that your teams are prepared for an attack, you’ll be ready to manage an actual incident. The work you do to plan for attack recovery will also help you better manage routine recovery challenges such as system outages or application failures.

Veritas helps you prevent data loss, limit downtime, and recover confidently and quickly to support business resilience. Learn about Veritas 360 Defense, a holistic approach with an expanding ecosystem of cybersecurity partners.