A CSO’s perspective on DORA compliance and where to go from here
The deadline for DORA compliance has officially passed and financially-regulated organizations could now technically face serious financial penalties if they are still not compliant with the provisions set out in the legislation.
The regulation is intended to bolster cyber resilience in the digital finance industry across the EU and any financial institutions that serve clients in the jurisdiction.
DORA will require organizations involved in the finance sector to demonstrate robust operational resilience frameworks to identify, manage, and mitigate cyber risks, as well as implement rigorous risk management strategies including managing their third party risk.
Other key focuses of the regulation include updated incident reporting requirements, threat-led penetration testing, and ensuring their software supply chain is transparent and auditable.
Noncompliance could land organizations in hot water, too, with the penalty for failing to comply set at 1% of your business’ daily global turnover, every day until you reach compliance.
Despite the high stakes for enterprises, research shows a significant portion of businesses remain noncompliant, with a study from Orange Cyberdefense revealing just under half (43%) of the UK’s financial services industry set to miss the deadline.
But why are businesses having such trouble with these regulations, and where do CSOs and CISOs see the most friction with getting their organization on track?
ITPro spoke to Stephen McDermid, senior director CSO for EMEA at Okta, about the primary stumbling blocks he thinks companies must traverse as they get themselves compliant.
McDermid said the main sticking point for most organizations will be making sure their entire digital supply chain is auditable by the authorities.
This could take organizations varying amounts of time to get in place, McDermid added, because it is all dependent on signing contracts with suppliers and their ability to do the same with their suppliers.
“So it has to be a contractual mechanism that provides that right for the entity to go audit…So it really depends on how open organizations are to providing the right to audit and whether they have mechanisms in place that allow them to flow that down to their suppliers and their customers’ customers.”
Organizations shouldn’t wait to see the costs of noncompliance
Addressing supply chain risk was a founding principle of the DORA regulations, McDermid added, and he noted organizations certainly have their work cut out for them in this department.
“When you start thinking about the supply chain and supply chain risk, which is one of the main reasons that DORA was created, then actually there’s a lot of work to do there. You must engage with suppliers, understand their approach and even their suppliers’ [approach]. So it’s not just a case of a regulator speaking to the regulated entities, this has a much broader impact.”
As a result, he said regulatory bodies are aware of this challenge and that there will be some sort of grace period extended to organizations still trying to get their estate in order.
“I think the fact that the regulatory technical standards (RTS) are still being defined and are still in draft is demonstrative of that. They understand that this is going to have a broad impact so they want to get it right,” he explained.
“So I think they do expect [noncompliance] and I think that there’s a grace period from the point of implementation of the RTS, I think around 18 months usually, that allows organizations to then be able to demonstrate compliance.”
It takes time for regulations to be created and for supervisory authorities to implement the mechanisms to enforce them, McDermid added, but warned this should not encourage what he described as a ‘wait and see’ approach.
This is the wrong mindset to take and puts organizations at risk of incurring substantial fines.
Security leaders should hammer home the business impact of noncompliance
When asked how security officers should communicate this sense of urgency to their board, C-suite, and organization as a whole, McDermid said focusing on the financial costs of noncompliance and converting compliance risks into business risk is the way to start.
“I think you have to be clear on the financial repercussions of noncompliance, that’s the obvious one. When you call out the potential penalties, 1% of the average turnover from the previous year, it can be quite a large payment,” he noted.
“When you translate that into business impact, the amount of effort to demonstrate compliance, to understand your own compliance requirements, that takes a lot of effort in terms of people hours, resources, and tooling.”
But CISOs should not forget to highlight the benefits getting their organization’s supply chain in order can have for the business more broadly.
Ultimately, McDermid said he thinks the industry has to be realistic about noncompliance as well as the significant work associated with and impact of eventually reaching compliance.
Security chiefs should have been raising such concerns for some time now, McDermid noted, in light of the gravity and the potential business impacts of noncompliance.
Continuing to communicate this will be vital in order to get their organizations to allocate sufficient resources to mitigate the challenges they face in getting everything in place before penalties start to be levied.
Source link
