Mitigating cyber risks in the era of DORA

October 2024

Cyber threats are some of the most severe and dynamic operational risks that European banks face. As the economy becomes ever more digitalised, the cyber challenge is only set to grow.

Bank know that the cyber environment is rapidly evolving, demanding significant effort to ensure cyber security can keep pace. Key factors driving the need for heightened focus on cyber resilience include:

The growing incidence of cyber-attacks on the financial industry, including denial of service attacks and the use of ransomware

The disruptive evolution of technology, and especially of artificial intelligence (AI), which is helping cyber criminals to develop new attack techniques

The increasing focus from European Union (EU) supervisors, typified by the Digital Operational Resilience Act (DORA) and the European Central Bank鈥檚 (ECB) prioritisation of robust operational resilience.

The disruption of July 2024 has further sharpened banks鈥� focus on cyber and information and communication technology (ICT) risks. It also highlighted the potential vulnerabilities that arise from the industry鈥檚 growing use of third-party service providers in the technology sector. Regulators and supervisors are also concerned about banks鈥� dependence on third parties for the provision of core operational services. These concerns are heightened by high levels of concentration among technology providers and the risks that can arise from sub-contracting 鈥� illustrated by the recent impact on Microsoft鈥檚 services.

Third-party provider outages like those in July can create a range of pain points for banks spanning several areas.

Source: 乐鱼（Leyu）体育官网 International, 2024

With appropriate measures, banks can avoid these pain points.

Incident preparation: Adequate preparation for an emergency includes the following measures:

聽Clear contractual clauses regarding service providers鈥� involvement in crisis management during cyber and ICT incidents.
Thorough mapping of interconnections between different assets in the ICT inventory and links between process landscape and ICT infrastructure.

Incident response: Immediate responses to cyber and ICT incidents are commonly made more efficient by:

Sufficiently documented contingency measures
Adequate planning of feasible workarounds.
Appropriate rollback strategies for successful recovery.

Crisis management: Banks鈥� ability to effectively recover from cyber-attacks and other critical incidents is typically enhanced by:

The inclusion of suitable scenarios in both the Business Continuity Plan (BCP) and the Disaster Recovery Plan (DRP).
Proper alignment with service providers over their responsibilities during the recovery phase.
The establishment of detailed, formalised crisis communication procedures.

Post-incident reworking: The ability to learn from experience and improve cyber incident planning is often supported by:

Strong post-incident analysis, evaluation and management reporting.
Suitable approaches to estimating economic impact and risk adjustments.

DORA is not specifically aimed at preventing or mitigating third party failures like the disruption experienced in July. However, it does bring the most critical service providers for leading banks under the direct supervision of the European Supervisory Authorities (ESAs) 鈥� the European Banking Authority (EBA), European Insurance and Occupational Pensions Authority (EIOPA) and European Securities and Markets Authority (ESMA) 鈥� for the first time, and banks with a good level of DORA readiness should enjoy greater resilience to third-party outages. In this context, we see six key areas for banks to focus on as part of their DORA preparations:

Improving ICT asset management

by better mapping interdependencies between ICT assets and their contribution to the company鈥檚 processes.

Strengthening digital operational resilience

by enhancing BCPs and DRPs, and by introducing regular risk-based testing of processes and systems.

Improving risk assessments

by harmonising estimates of economic impact with quantitative measures of operational risk, enabling informed decision-making across the supply chain.

Improving patch management

by implementing robust procedures to identify critical vulnerabilities, to formulate rollback strategies, and to conduct emergency patching and updating of ICT assets.

Enhancing third-party service provider control

by adapting contractual clauses around the involvement of third-party providers in test activities and incident management.

Mitigating sub-delegation and concentration risks

by monitoring interconnections involving service providers and subcontractors which could give rise to major disruptions.

No bank can predict when it will next become the target of a cyber-attack. But the frequency and severity of cyber incidents are only set to increase. Banks should act swiftly to strengthen their defences and upgrade their response plans to safeguard their resilience before trouble strikes.

Quarterly 乐鱼（Leyu）体育官网 SSM Insights Newsletter 鈥� October edition

Welcome to 乐鱼（Leyu）体育官网鈥檚 SSM Insights Newsletter, October edition. Read our latest perspectives and insights on pressing ECB priority areas impacting banks.

Downloadopens in a new tab

乐鱼（Leyu）体育官网 European Central Bank Office - Advisory Services

乐鱼（Leyu）体育官网 ECB Office offers you information and solutions for dealing with the ECB supervisory approach under the Single Supervisory Mechanism (SSM).