More Like This
-
Report
2023 Cyber Resilience Report
-
Capability Overview
Cyber Resilience
-
Capability Overview
The Cyber Loop
Governments, businesses and customers look to financial entities as the backbone of the global economy. Because of this vital role, the industry’s cyber security is highly regulated and scrutinized.
That regulatory concern is well founded, given the recent resurgence of aggressive threat actor groups targeting financial services entities. In fact, ransomware claims were up 38 percent from Q4 2022 to Q1 2023.
Although financial institutions appear more resilient than sectors like healthcare and manufacturing, vulnerabilities continue to exist in their IT controls, such as backup security.
The European Union (EU) is therefore introducing the Digital Operational Resilience Act (DORA) to increase the digital resilience —i.e., the security of network and information systems — of financial institutions within the EU and mitigate risks associated with outsourcing to third-party service providers (TPP).
While financial institutions operating in the EU are required to comply by January 2025, DORA also represents an opportunity for businesses to review and streamline their operational resilience and cybersecurity practices.
DORA is designed to consolidate and upgrade risk requirements for information and communications technology (ICT) throughout the financial services sector. This ensures a common set of standards for mitigating operational ICT risks.
This new regulation is intended to ensure that the EU financial services sector, along with their critical ICT providers, are equipped to prevent and mitigate cyber threats and remain resilient in the face of a severe disruption.
The key difference between DORA and previous regulations in this space is in their scope. DORA ensures that the financial services ecosystem eradicates any weak links, and that individual institutions take a holistic approach to cyber security.
DORA covers a broad range of financial service entities and ICT TPPs, and applies to most of the regulated financial institutions in the EU. Many entities that were not previously subject to specific ICT regulations now fall within the scope of DORA.
When it comes to implementing the requirements of DORA, the European Supervisory Authorities (ESA) operate on a principle of proportionality. They must consider the financial institution’s size and overall risk profile, as well as the nature, scale and complexity of their services, activities and operations.
The European Parliament adopted DORA on November 10, 2022, and the regulation and related directive was subsequently published on January 16, 2023. The implementation period will be two years, with financial service entities expected to be compliant by January 17, 2025.
ESAs have been tasked with developing Technical Standards (RTS/ITS; Level 2 rules) applicable to all financial institutions within the scope of DORA. These are expected to be adopted by the end of 2024.
DORA goes beyond existing regulations by bringing together multiple aspects of operational resilience into one framework. It also raises the bar for how institutions manage their ICT risks, laying out a broad set of requirements across five foundational pillars.
We expect DORA to be an evolving standard that will change as operational resilience practices develop and standards are iterated between regulators and the industry. However, it is clear that operational resilience will be a prime focus for regulators in the coming years.
DORA requirements on governance and organization emphasize the need for financial service entities to establish an internal governance and control framework for ICTs, as well as appoint a management body to oversee and implement ICT risk management measures.
Financial entities shall have in place capabilities and staff, suited to their size, business, and risk profiles, to gather information on vulnerabilities and cyber threats, ICT-related incidents, in particular cyberattacks, and analyze their likely impacts on their digital operational resilience.
Report
2023 Cyber Resilience Report
Capability Overview
Cyber Resilience
Capability Overview
The Cyber Loop
The framework for this needs to be sound, comprehensive and well-documented as part of the overall risk management system, which must be periodically reviewed and audited.
DORA will provide for consistent and, if applicable, expedited reporting for ICT-related incidents.
There are strict timelines for reporting “major” incidents to the authorities. According to these notification requirements, financial entities must review and update their current internal incident reporting processes and outsourcing arrangements, where relevant.
To ensure digital operational resilience, financial entities are required to implement robust and comprehensive testing plans within their organization. In certain cases, advanced testing is required. This includes Threat-Led Penetration (PEN) Testing every three years, or more frequently, if requested by the authorities.
DORA also requires a security posture gap analysis and the implementation of countermeasures.
DORA aims to control third-party ICT risk by setting principle-based rules for monitoring risks related to outsourced tasks. Outsourcing agreements must comply with minimum contracting requirements, including:
DORA also introduces a framework for ESAs to supervise critical TPPs.
Financial service entities have permission to exchange cyber threat information and intelligence among themselves. This includes indicators of compromise, tactics, techniques, procedures, cyber security alerts and configuration tools.
The main objective is to enhance the digital operational resilience of financial institutions by:
DORA does not detail specific fines or sanctions for non-compliance. However, EU member states are required to establish effective, proportionate and dissuasive penalties. These may include fines, administrative sanctions or other measures, and will reflect the current implementations of DORA-related laws by each respective EU country. The respective national authorities will also see to compliance oversight and enforce the regulation as they see fit.
Organizations found to be in non-compliance may face legal and financial implications, including:
DORA will have a major impact on entities falling within its scope. Qualifying financial institutions, their counterparts and ICT TPPs will need to make a significant effort to ensure timely compliance.
An assessment of the workforce and human capital data should also be considered an important element of any operational risk review and process improvement exercise. Human capital data provides excellent insights from a range of important considerations including creating the optimal pay and incentives for key employees, identifying areas where staff are less engaged and attracting and retaining the best talent in a very competitive environment.
Financial service entities should begin now. The time needed to enact the required standards across the entire organization — including all underlying entities — should not be underestimated, considering the need to:
We recommend organizations take at least two initial key actions:
Perform a readiness assessment and gap analysis to determine the extent to which your organization is already in compliance with DORA requirements and the upcoming technical standards.
To achieve compliance cost-effectively, leverage current activities and accelerate the DORA compliance items already in progress, such as:
As part of what Aon calls the “Cyber Loop” to describe the journey towards good risk management, additional steps might include:
Our multidisciplinary Cyber Solutions teams bring a wealth of experience in technology, cyber security, regulatory compliance and ICT risk management to help you strengthen your operational resilience and make better decisions. They work seamlessly with our team of financial service experts to deliver integrated solutions that help you achieve compliance with DORA.
General Disclaimer
This document is not intended to address any specific situation or to provide legal, regulatory, financial, or other advice. While care has been taken in the production of this document, Aon does not warrant, represent or guarantee the accuracy, adequacy, completeness or fitness for any purpose of the document or any part of it and can accept no liability for any loss incurred in any way by any person who may rely on it. Any recipient shall be responsible for the use to which it puts this document. This document has been compiled using information available to us up to its date of publication and is subject to any qualifications made in the document.
Terms of Use
The contents herein may not be reproduced, reused, reprinted or redistributed without the expressed written consent of Aon, unless otherwise authorized by Aon. To use information contained herein, please write to our team.
Our Better Being podcast series, hosted by Aon Chief Wellbeing Officer Rachel Fellowes, explores wellbeing strategies and resilience. This season we cover human sustainability, kindness in the workplace, how to measure wellbeing, managing grief and more.
Stay in the loop on today's most pressing cyber security matters.
Our Cyber Resilience collection gives you access to Aon’s latest insights on the evolving landscape of cyber threats and risk mitigation measures. Reach out to our experts to discuss how to make the right decisions to strengthen your organization’s cyber resilience.
Our Employee Wellbeing collection gives you access to the latest insights from Aon's human capital team. You can also reach out to the team at any time for assistance with your employee wellbeing needs.
Explore Aon's latest environmental social and governance (ESG) insights.
Our Global Insurance Market Insights highlight insurance market trends across pricing, capacity, underwriting, limits, deductibles and coverages.
How do the top risks on business leaders’ minds differ by region and how can these risks be mitigated? Explore the regional results to learn more.
Our Human Capital Analytics collection gives you access to the latest insights from Aon's human capital team. Contact us to learn how Aon’s analytics capabilities helps organizations make better workforce decisions.
Explore our hand-picked insights for human resources professionals.
Our Workforce Collection provides access to the latest insights from Aon’s Human Capital team on topics ranging from health and benefits, retirement and talent practices. You can reach out to our team at any time to learn how we can help address emerging workforce challenges.
Our Mergers and Acquisitions (M&A) collection gives you access to the latest insights from Aon's thought leaders to help dealmakers make better decisions. Explore our latest insights and reach out to the team at any time for assistance with transaction challenges and opportunities.
How do businesses navigate their way through new forms of volatility and make decisions that protect and grow their organizations?
Our Parametric Insurance Collection provides ways your organization can benefit from this simple, straightforward and fast-paying risk transfer solution. Reach out to learn how we can help you make better decisions to manage your catastrophe exposures and near-term volatility.
Our Property Risk Management collection gives you access to the latest insights from Aon's thought leaders to help organizations make better decisions. Explore our latest insights to learn how your organization can benefit from property risk management.
Our Technology Collection provides access to the latest insights from Aon's thought leaders on navigating the evolving risks and opportunities of technology. Reach out to the team to learn how we can help you use technology to make better decisions for the future.
Trade, technology, weather and workforce stability are the central forces in today’s risk landscape.
Our Trade Collection gives you access to the latest insights from Aon's thought leaders on navigating the evolving risks and opportunities for international business. Reach out to our team to understand how to make better decisions around macro trends and why they matter to businesses.
With a changing climate, organizations in all sectors will need to protect their people and physical assets, reduce their carbon footprint, and invest in new solutions to thrive. Our Weather Collection provides you with critical insights to be prepared.
Our Workforce Resilience collection gives you access to the latest insights from Aon's Human Capital team. You can reach out to the team at any time for questions about how we can assess gaps and help build a more resilience workforce.
Report 31 mins
While advancements in AI, cyber and data technology are helping companies operating in an increasingly digital world gain a significant competitive edge, they also introduce new and evolving risks.
Article 9 mins
As healthcare costs rise, voluntary benefits are a critical component of engaging employees, while also helping to manage direct and indirect medical expenses. Here are three strategies for employers to make the most of their voluntary benefits.
Article 14 mins
The expansive scope, stringent sanctions and pivotal role of management related to the new NIS2 Directive provide a strong foundation to protect against evolving cyber risks.