As the unique level of cyber risk the financial sector faces becomes all the more apparent, regulators are increasingly adopting measures to proactively mitigate the resounding impact a cyber incident has the potential to cause. One such measure is the European Union’s Digital Operational Resilience Act (DORA), which mandates that financial institutions adhere to a myriad of new practices related to information and communications technology (ICT) risk management.
Although DORA was entered into force two years ago, in 2023, it will be officially applied this month on 17 January. At that point, organisations must be fully prepared to meet the legislation’s stringent obligations laid out in a series of 64 Articles or face the legal consequences.
Go deeper with GlobalData
Achieving compliance, however, is far more intensive than merely updating a few internal policies. Instead, organisational stakeholders must soon be able to gather, analyse, and document an immense amount of data to make highly strategic decisions and govern the business according to both the legislation’s demands and broader operational goals.
Cyber risk management under DORA
This challenge has sent executives in search of advanced cyber risk management solutions, ones that can not only streamline processes but help to bridge the gap that commonly exists between themselves and complex cyber matters. While the market has no shortage of valuable cybersecurity tools, one that stands out as particularly valuable in this context is on-demand cyber risk quantification (CRQ).
CRQ platforms help stakeholders thoroughly assess their organisation’s cyber risk exposure and subsequently translate the results into clear, measurable outcomes, such as event likelihoods and respective financial impact. Then, with a shared understanding of their organization’s cyber risk, all responsible parties can more easily align their efforts and fulfill DORA compliance expectations.
Article 5 of DORA, for instance, stipulates that management bodies of financial entities set and approve the “digital resilience strategy… including the determination of appropriate risk tolerance level,” or the degree of risk to which a business is willing to accept in pursuit of its mission. However, to adequately calculate these levels, stakeholders first need to know their unique susceptibility to digital threats, the monetary implications, and the organisation’s ability to absorb the damage.
How well do you really know your competitors?
Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.
Thank you!
Your download email will arrive shortly
Not ready to buy yet? Download a free sample
We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form
By GlobalDataIndeed, determining relevant risk appetite and tolerance thresholds serves as the basis for building out any robust cyber risk management strategy, as the majority of subsequent decisions, ranging from resource allocation to incident response planning, will be anchored to these benchmarks. CRQ facilitates this process by offering a range of possible loss scenarios for the upcoming year and their respective likelihoods, enabling management to make such data-driven decisions.
DORA’s Article 6 likewise lays out a series of provisions that can be more easily adhered to with tools like on-demand CRQ. For example, on top of establishing a robust ICT risk management framework, entities must be able to explain “how [the framework] supports [their] business strategy and objectives.” In other words, managers have to demonstrate that risk management strategies enable broader growth and stability.
Objective CRQ insights – such as the potential reduction of financial risk a security control upgrade can have or the ROI of a new initiative – can highlight how investing in cybersecurity contributes to a company’s economic prosperity. Other quantified metrics like total data record loss and outage time duration of an average cyber event are similarly crucial for illustrating how a strategy is working to better align with overall risk appetite.
Vendor evaluations are critical under DORA
Beyond demanding internal assessments, DORA also explicitly acknowledges the role that external vendors play in the financial sector’s risk landscape, requiring entities to comprehensively evaluate any third-party ICT provider they wish to work with. Article 28 emphasises the necessity of these evaluations prior to any formal engagement, ensuring that organizations can fully account for any additional risk such partnerships would entail.
Among their capabilities, CRQ platforms can also calculate the costs associated with third-party service providers and the specific technologies they offer, allowing stakeholders to quantify the financial impact of the association. Leveraging this data, organizations can decide whether to proceed or explore alternative providers and solutions while also obtaining a robust rationale for compliance purposes.
With IBM’s annual report finding that the average cost of a data breach in the financial sector in 2024 amounted to $6.08m, it’s plain that DORA is a much-needed regulation that’s going to bolster the cyber resilience of the global marketplace. However, organisations must quickly harness new solutions that can help them navigate these new requirements. While gathering, analysing, and reporting the necessary information will be no easy feat, those who rise to the challenge will set themselves up for long-term market success.
