DORA (Digital Operational Resilience Act), i.e. a draft regulation on the operational digital resilience of the financial sector.

Publication date: February 24, 2023

What is DORA and what is its purpose?

Digital Operational Resilience Act is one of the elements of the EU legislative package on digital finance, which aims to update the regulatory environment in the area of financial technologies, as well as to harmonize processes and standards of digital resilience in the entire sector, with particular emphasis on increasing resistance to upcoming cyberattacks in the financial sector, which over time are becoming more sophisticated and problematic. DORA aims to harmonize incident classification and reporting processes. Early incident detection and timely response are key. It is necessary to adapt to the new EU reporting rules, as well as adapt internal processes to optimize the allocation of resources.

The Regulation was designed to ensure that the operations of the European Union’s financial sector are able to withstand cyberattacks and operational threats, which means that institutions are to be able to stop or counteract cyberattacks by implementing best practices, such as data protection and planning future responses to such dangers. The Regulation thus introduces a number of harmonized obligations for entrepreneurs from the broadly understood financial market and entities providing ICT services to them (e.g. collecting, processing and transmitting information).

Companies such as banks, insurance or investment companies must have a precise plan in place in the event of an attack, so that they can keep the company operational despite everything while recovering and repairing any damage caused by hackers, e.g. data recovery. Such company policies must be reviewed annually by an independent financial regulator, who will provide an assessment of whether they are appropriate based on accepted industry standards. Organizations that do not work directly with any financial institution may voluntarily choose to comply with the legal act through an independent auditor and the implementation of the project will be supervised by national authorities.

Rights, obligations and sanctions.

In the context of the rights and obligations arising from Digital Operational Resilience Act, it is important that the entities covered by the Regulation take care of ICT tools and systems that allow minimizing the impact of the associated risk, quick identification of all possible sources of risk and implementing mechanisms to detect irregularities as well as internal procedures and measures for protection and prevention. Financial entities will also need to equip themselves with the appropriate means and staff to detect vulnerabilities, threats and cyberattacks and assess the possible consequences for digital operational resilience.

Their duties will include, in particular, such activities as: introduction of an internal risk management and control framework, as provided for in Art. 4 and 5 of the Regulation, the use of ICT systems, protocols and tools (Article 6), the implementation of ways to identify, classify and record all ICT-related business functions. The adequacy of the classification of information assets and any relevant documentation is reviewed at least annually.

Ongoing monitoring and control over the functioning of ICT systems and tools.

As for the implementation of appropriate security procedures, financial entities have the opinion to take care of providing backup copies and ways to restore data of ICT systems. There shall be implemented the use of procedures for identifying, tracking, recording, categorizing and classifying ICT incidents and many others.

Financial supervisory authorities will begin to exercise supervision, which is connected with the possibility of imposing financial penalties. The sanctions remain limited to the scope of services provided to the financial sector. For example, the power of the lead supervisory authority will allow it, pursuant to Art. 31 sec. 4 impose a periodic penalty payment, calculated from the date specified in the imposing decision. The amount according to Art. 31 sec. 7 is 1% of the average daily global turnover of a key third-party ICT service provider in the preceding financial year.

Under the risk management framework, organizations will need to have established and proven risk management processes in place to comply with the Regulation. The organization needs to be adapted, including in particular business strategies, in order to create and maintain a comprehensive and effective risk management framework. In addition, support must be provided in identifying the required scope and intensity of application of the Regulation in the organization and implementing its requirements in accordance with applicable governance principles. Digital Operational Resilience Act requires entities from the financial sector to test their systems based on the risk involved. This includes vulnerability scanning and penetration testing as well as business continuity testing.

Many organizations in the financial industry are often targeted at the same time. The requirement to share threat intelligence will help the industry as a whole become more aware and proactive in preparing for the increasing number and variety of cyberattacks. No organization works in isolation – today’s enterprise environment consists of hundreds of third parties, including ICT service providers covered by the DORA regulation. It is necessary to assess the maturity of the organization in the area of TPRM, strengthen the existing third-party risk management structures (e.g. processes, technologies or procedures). In March and April 2022, cybercriminals attacked three different lending protocols. In a week, hackers stole $15.6 million worth of cryptocurrency from the Inverse Finance platform, $625 million from the gaming-oriented platform Ronin Network and $3.6 million from the Ola Finance platform.

Cybersecurity and threats related to hacker attacks on the example of Riot Games.

Cyberattacks aim to damage, control or gain access to important documents or systems within a private or corporate computer network. Behind cyberattacks there are individuals or organizations with political, criminal or personal intentions to destroy or gain control over sensitive data. Most high-profile cyberattacks affect thousands or even millions of ordinary people. This includes, but is not limited to, attacks on social media platforms and websites that store personal information. The hack attack on the US Office of Personnel Management took place in April 2015. The event was called “one of the most serious data breaches in US history. Data from 21.5 million investigations, 19.7 million people requesting an investigation, and 5.6 million fingerprints were stolen.

Every business in the world must take into account the risk of a cyberattack, data leakage or theft of large content of the website. It should be remembered that hacker attacks pose a significant threat not only to large companies, but also to medium and small enterprises. Despite popular belief that large companies are largely exposed to cyberattacks – in the United States as much as 43% of all cybercriminals’ activities are directed at small businesses. Most of the attacks that are currently being carried out are targeted at private individuals, and then the data obtained in this way is used to gain strategic information about a given enterprise.

Recently, the developer of one of the most popular online games in the world, Riot Games, announced that it was the victim of a social engineering hack attack, which resulted in the theft of the source codes of two of the most popular titles: League of Legends and Teamfight Tactics. The cybercriminals also managed to gain access to the repositories of the anti-cheat platform in the legacy version. The company has published a post on Twitter in recent days, in which it informs that the source code was taken over by an anonymous group, and the developers’ work was suspended due to the confusion related to the cyberattack.