Financial cyber defence: gearing up for DORA

The Digital Operational Resilience Act (DORA) is a new European regulation designed to fortify the cybersecurity landscape and ensure financial firms can effectively manage digital risks.

Coming into effect in January 2025, financial entities have a matter of months to ensure their cybersecurity capabilities align with a number of new DORA requirements such as threat intelligence and cyber incident response.

As part of this evaluation process, firms will need to assess if the threat intelligence platforms (TIP) and security orchestration, automation and response (SOAR) technologies they utilise will empower them to achieve and maintain compliance with the upcoming regulations.

Understanding the impact of DORA

DORA aims to strengthen the security of financial entities like banks, insurance companies, investment firms, and stock exchanges. This helps them achieve cyber resilience in the event of any severe operational disruption.

Applicable to financial entities in the EU and any information and communication technology  (ICT) infrastructure that supports them outside the EU, the regulation introduces specific and prescriptive requirements for all financial market participants. Given the rapidly evolving cyber risk landscape, the resilience measures DORA advocates hold relevance for financial services institutions worldwide.

Placing significant emphasis on ICT risk management, incident reporting, resilience testing, and third-party risk management, DORA aims to strengthen the resilience of financial systems through uniform rules that are applicable in the EU. In relation to cybersecurity, DORA requires financial entities to implement effective measures to prevent, detect, respond to and recover from cyber incidents.

DORA represents a proactive preparedness and response to the rising frequency and sophistication of cyberattacks.

Getting fit for DORA – understanding the implications for TIP and SOAR

Threat intelligence platforms that operationalize  the timely, relevant, and actionable intelligence that enables organisations to identify and mitigate potential risks are the cornerstone of any proactive cybersecurity strategy. Their significance becomes even more pronounced under DORA.

DORA emphasises the need for comprehensive threat intelligence capabilities that empower financial institutions to better outpace emerging threats. In addition to providing real-time insights into the threat landscape, TIP solutions should also enable organisations to share threat intelligence and operationalize it among the right teams who can take automated actions to proactively mitigate risk. It should enable organisations to address the full spectrum of threats in one collaborative platform,  fostering a more collective defence approach to combat adversaries.

Similarly, DORA also highlights the importance of rapid and effective response capabilities to minimise the impact of cyber incidents. SOAR platforms enable organisations to simplify and automate their response capabilities, so they can respond to incidents with greater speed and efficiency. By independently integrating various security tools and technologies, modern SOAR solutions go beyond simply orchestrating incident response; they make it possible for security teams to orchestrate a truly cohesive and well-coordinated cyber defence. Modern SOAR platforms centralise data analysis, connect the dots between threat intelligence, detection logs, and other internal telemetry to provide  comprehensive threat visibility and enable automated actions in security, IT and DevOps tools from a single platform.

Given the elevated importance of TIP and SOAR platforms, security teams will need to assess if the solutions they use will enable them to adhere to the key requirements of the DORA directive and elevate the strength of their security programme.

Let’s take a look at two key areas.

Incident reporting and response

Article 1 of DORA mandates the timely reporting of significant cyber incidents alongside the voluntary notification of significant cyber threats to competent authorities. It also requires financial entities to report major operational or security payment-related incidents to the competent authorities.

For optimal resilience, financial firms should ensure their TIP and SOAR platforms feature comprehensive real-time threat intelligence sharing that will reduce the time and effort associated with reporting major incidents to relevant authorities and enhance how internal security teams collaborate and operationalise intelligence to mitigate against potential risks.

Ideally, they should also look for solutions that empower them to instantly share relevant threat intelligence with other trusted financial entities. This capability will ensure that, should one financial institution encounter a novel malware strain attempting to exploit vulnerabilities in banking systems, it can distribute insights to other financial entities in a timely way. This would include details on specific indicators of compromise (IOCs) along with any contextual information relating to tactics and potential impact. All of this supports a wider collective and rapid response that ultimately helps safeguard the entire financial ecosystem.

Resilience testing and assessment

DORA requires financial entities to regularly test and assess their operational resilience, so they can ensure they are well-prepared to handle cybersecurity incidents effectively.

To fulfil this requirement in the most efficient way possible, organisations should use a SOAR platform that enables them to automate repetitive tasks and orchestrate workflows across security functions and not just case management. 

Orchestrated incident response is critical to efficiently handle cyber incidents and enable security professionals to coordinate a response across all operational environments. However, for a truly optimised end-to-end capability, these orchestration capabilities should be independent of specific functions such as case management and incident response. For example, security teams should be able to orchestrate detection and threat intelligence workflows directly. The alternative option – routing every workflow through case management – is tedious and wastes precious time. Case-independent orchestration simplifies the job of security teams without creating complex challenges for scale and flexibility. It also allows for efficient collection of threat intelligence and internal logs and telemetry, connecting the dots and automating actions. 

Financial organisations that utilise DORA platforms with this global orchestration will be able to seamlessly automate and orchestrate all security tools and technologies across all their deployment environments. This includes machine-to-machine (M2M), machine-to-human (M2H) and human-to-machine interactions (H2M).

Moving forward with confidence

As the EU moves towards implementing DORA, financial services entities must ensure they are prepared to meet all requirements outlined in the legislation. Ideally, they should look to work strategically with solution providers that offer TIP and SOAR products aligned with the key features and requirements of DORA. All of this will ensure they can fortify their digital resilience, simplify how they maintain compliance, and institute a more proactive defence posture against evolving cyber threats.