Using Cyber Risk Ratings for DORA Compliance
The number of cyber attacks across the world is on the rise, and the European Union is taking steps to strengthen the IT security of financial institutions such as banks, insurance companies and investment firms. DORA, the Digital Operational Resilience Act, will help ensure that the financial sector in Europe can maintain operations even in the event of a severe operational disruption. The Council presidency and the European Parliament have reached a provisional agreement on DORA, which is a positive step forward in protecting Europe’s finances. Continue reading to learn more about using cyber risk ratings for DORA compliance.
Introduction
In today’s digital world, it is essential for companies and organisations operating in the financial sector to have robust security measures in place for their network and information systems. The EU’s DORA sets out uniform requirements for such security, as well as for ICT-related services provided by third parties (such as cloud platforms or data analytics services) to these organisations. The adoption of DORA will mean that financial entities must “address any reasonably identifiable circumstance in relation to the use of network and information systems”.
In short, DORA can be defined as a single set of rules to enforce a common standard of operational resilience across the wider EU financial system. In cases of non-compliance, regulators will have the power to impose steep penalties of up to 1% of average daily worldwide turnover from the preceding year. Organisations that focus solely on delivering a minimum viable product often find themselves struggling with governance and risk management further down the line. DORA aims to avoid this by requiring these elements to be in place from the outset. Although DORA mostly affects the financial sector, these regulations – which aim to boost cyber resilience – will have huge knock-on effects on IT roles and tech companies.
Using Cyber Risk Ratings for DORA Compliance
The essence of DORA is divided across five core pillars that address various aspects or domains within ICT and cyber security, providing a comprehensive digital resiliency framework for the relevant entities. These five pillars are:
- ICT risk management
- ICT incident reporting
- Digital Operational resilience testing
- Information and Intelligence Sharing
- ICT Third-Party Risk Management
A cyber risk rating, or security rating, provides security and risk teams with a way of measuring and tracking overall security performance as well as performance against key risk vectors (see image below).
Here’s how cyber risk ratings can address the five pillars of DORA:
1 ICT Risk Management
DORA requires the implementation of a risk management framework which includes identification, protection, detection, response and recovery (the 5 areas of NIST).
A good cyber risk ratings tool should assist with the identification of publicly facing infrastructure and assets with the auto-discovery and auto-updating of an organisation’s digital footprint. This should include all top level domains, DNS (including name servers and subdomains), IP Blocks and IP address (including open ports), social media pages, email addresses in the public domain and the geographic locations of assets.
Included in the auto-discovery of digital footprints’ assets should be the underlying infrastructure being used, for example, AWS, Azure, GCP and Office365. From the digital footprint a cyber risk ratings tool should be able to map vulnerabilities and weaknesses, known as Findings to Frameworks for (example) NIST CSF and ISO27001.
2 ICT Incident Reporting
Understanding whether an organisation has incurred a previous data breach or could be susceptible to a data breach or a ransomware attack is information that should be included as standard in a cyber risk ratings tool. Financial quantification of a potential data breach enables the business to easily understand the risk impact and can be easily performed using internationally recognised standard models such as FAIR (Factor Analysis of Information Risk).
3 Digital Operational Resilience Testing
Digital operational resilience testing is usually performed with penetration tests or red teaming exercises. These are, however, point-in-time views only. Cyber risk ratings tools can be used for the detection of malware and bots, as well as the continuous monitoring of all publicly facing infrastructure including cloud. Furthermore, alerting can be configured to notify of changes and new vulnerabilities and weaknesses.
In addition, cyber risk ratings tools can be used for attack surface monitoring and risk reduction reporting. Cyber risk ratings tools should also provide ticketing to allocate and track remediation of vulnerabilities and weaknesses.
4 Information and Intelligence Sharing
Cyber risk ratings tool enable the sharing of reports including risk remediation between related parties along with knowledges bases about vulnerabilities and weakness, how they may be exploited including the mapping to MITRE ATT&CK and NIST 800-53.
5 ICT Third-Party Risk Management
For effective third-party risk management, a legal agreement between the contracting parties needs to exist which covers the continuous monitoring and remediation of vendor risk by the vendor. Prior to the engagement of a vendor a thorough cyber risk assessment should be performed. Cyber risk rating tools can clearly differentiate between past, present and future breaches, vulnerabilities and weaknesses and susceptibility to ransomware, using international standards (such as the MITRE Cyber Threat Susceptibility Assessment Model).
The findings from continuous monitoring should be mapped to internationally recognised frameworks, for example NIST 800-53 and ISO27001. To effectively assess and monitor a vendor, a classification process needs to be completed to determine vendor criticality based on data sharing, access to network and business continuity to name some of the more high priority criteria.
The above process then enables the compilation of risk remediation reports which can be shared with the vendor for remediation along with the use of the FAIR model output (should data be shared with the vendor).
Conclusion
The new Digital Operational Resilience Act (DORA) will soon become law in the EU. This act will have wide-reaching consequences for financial entities, as well as any third-party providers of ICT services that they use. Contracts between these parties will need to be updated to reflect the new requirements.
DORA creates a framework for digital operational resilience, whereby all firms must be able to withstand, respond to and recover from any type of ICT-related disruption or threat. These requirements are homogenous across all EU member states and aim to prevent and mitigate cyber threats. As can be seen from the above points, cyber risk rating tools can perform a key role in DORA compliance.
For more information regarding using cyber risk ratings for DORA compliance, contact Elasticito.