In this episode, hosts Rob and Stan explore the EU's Digital Operational Resiliency Act (DORA) with Dominic Brown, a cybersecurity expert. DORA addresses cyber threats to EU financial systems, emphasizing risk management, incident response, and third-party oversight. Dominic compares DORA to US regulations and advises organizations to build risk management teams and enhance cyber resilience before the 2025 deadline.
Follow or subscribe to the show on your preferred podcast platform.
Share the show with others in the cybersecurity world.
Get in touch via reimaginingcyber@gmail.com
In this episode, hosts Rob and Stan explore the EU's Digital Operational Resiliency Act (DORA) with Dominic Brown, a cybersecurity expert. DORA addresses cyber threats to EU financial systems, emphasizing risk management, incident response, and third-party oversight. Dominic compares DORA to US regulations and advises organizations to build risk management teams and enhance cyber resilience before the 2025 deadline.
Follow or subscribe to the show on your preferred podcast platform.
Share the show with others in the cybersecurity world.
Get in touch via reimaginingcyber@gmail.com
[00:00:00] Rob Aragao: Well, hey everyone, welcome back for another episode of Reimagining Cyber. Rob and Stan here. Stan, I'm not sure what this topic's about today. It says Dora and it flashes back where my kids in their childhood, one of their favorite cartoons with Dora the Explorer. Are we talking about Boots the Monkey and that whole kind of gang?
[00:00:16] You know,
[00:00:17] Stan Wisseman: you know, that's a good place to go, but since this isn't related to cybersecurity, Rob, we're going to actually do it on an EU regulation that's coming out in January 2025. So that's what it is. I can understand the confusion, you know, but DORA is actually Digital Operational Resiliency Act. So that's, I don't know if DORA was an acronym for Dora the Explorer or not, but
[00:00:41] Rob Aragao: I don't think so.
[00:00:42] You just clarify that for me. That's much more easy to talk about.
[00:00:45] Stan Wisseman: So, so for our listeners who aren't familiar with what DORA is, let me just. go into it a little bit to sort of set the stage. It's a EU like regulation that's designed to fortify European financial sector [00:01:00] organizations and equip them to effectively handle, adapt to, and bounce back from different kinds of disruptions that may occur or threats.
[00:01:08] related to information and communication technology, or ICT. And it's a key piece of legislation that's, you know, going to be focused on maintaining digital operational resiliency. And it should be going to, it's planned to go into effect in January 2025, and organizations are already getting ready for that.
[00:01:28] Rob Aragao: Excellent. Sounds like a blast. And let's figure out who's going to join us today. So can you share with us who it is?
[00:01:34] Stan Wisseman: In fact, our guest today is Dominic Brown, and he's the CEO of Grave Lighting Consulting, and Dominic is an authority on FinTech. And so given his experience, which expands across critical areas like information governance and compliance strategies and cybersecurity, perfect guest to have on to talk about DORA.
[00:01:52] Dominic, we're thrilled to have you with us today. Is there Anything, before we delve into this discussion, we're going to get into today. Anything else you [00:02:00] want to share on your background with our listeners?
[00:02:02] Dominic Brown: Sure. First of all, a pleasure to be here with you, Rob and Stan. A little bit on my background.
[00:02:08] I've spent 20 years in various roles, building and delivering solutions for financial services. I was a compliance practice manager at EMC, field CTO at HP Big Data, ran a presales and professional services team at SSNC Interlinks. And then I left Interlinks in July and started Graves Light Consulting.
[00:02:28] And essentially we help FinTechs And tech companies that want to be fintechs sell and market into financial services.
[00:02:34] Rob Aragao: Yeah. And you know, you and I had a conversation that kind of led to the point of bringing it onto the podcast on this very topic, especially given all your previous experience. And we recently just touched briefly on this topic on on an episode with, with the deal seed, but I wanted to, you know, get into it much deeper because again, you've been looking at this space for quite some time.
[00:02:54] And there's a lot of synergies and the things that you've accomplished in the past. And now I have maps. So what we're seeing come out of [00:03:00] DORA, so, so again, what are some of the key factors and concerns, you know, for the audience to understand the drivers behind the EU regulations that are being implemented by DORA?
[00:03:09] What are some of the kind of motivations that the, the organizations in that European financial sector need to be considering at this point in time?
[00:03:17] Dominic Brown: Yeah, well, I mean, the obvious one is that there's been a big uptick in cyber attacks on financial services in the EU. Attacks more than doubled between Q2 2022 and Q2 2000.
[00:03:29] 23 78 percent of Europe's larger financial institution experienced a third party breach last year. So this prompted regulators to examine insurance claims for financial services, and they determined that cyberattacks are the primary cause of financial loss in the financial sector. And it doesn't really appear to be letting up.
[00:03:52] And it's not only the operational risks. But the regulators are concerned about a systemic risk to the EU [00:04:00] financial system. So you know, it's a highly connected financial network. An incident at one of the major banks or payment networks could adversely affect the whole chain, right? So that's that's pretty telling that You know, it's not, it's not just the operational risk.
[00:04:17] It's, it's the systemic risk. I think, you know, COVID and normalizing remote work accelerated digital transformation and financial services, but the cyber and operational resilience didn't necessarily follow suit. I think it made the financial sector a pretty ripe hunting ground for cyber thieves.
[00:04:36] Stan Wisseman: Now Dom, the US side of the equation as far as regulators is, is also getting into this right?
[00:04:44] You know, so the, the, the SEC has issued their cybersecurity rule. What, in your view, are some of the similarities or distinctions between what. The approach the SEC is taking again, [00:05:00] helping, you know, the financial sector and the U. S. Global companies there. And and door. What are the overlaps? And what are the how?
[00:05:08] How would you differentiate them?
[00:05:10] Dominic Brown: Yeah. I mean, at a high level, Dora, you know, obviously, Dora encompasses the entire EU financial system. The SEC is focusing on public companies in the United States. But really, the big difference is I mean, the SEC's primary mission is to protect investors, right? So they're doing is they're forcing public companies to disclose cybersecurity incidents and their programs for managing cybersecurity.
[00:05:38] So investors can make sound investment decisions.
[00:05:42] Stan Wisseman: And, and let's face it on, on, as far as the incidents go, many ransomware attacks have not necessarily been disclosed. Right. And so the investors don't have a clue that some of these things have occurred to their, the companies in which they have, you know,
[00:05:54] Dominic Brown: shares for.
[00:05:55] That's right. And so. The average public company stock price declined 7. 5 percent [00:06:00] after a data breach, and the SEC used additional, they used the investor, the Investment Advisors Act, I think of 1930, I'm not sure the exact date, but it was an act that was implemented after the stock market crash. So they just added to that, right?
[00:06:17] They already had firms disclosing litigations and other incidents so investors could make sound decisions. And so they just added cybersecurity to that. Dora, as we mentioned, is looking at systemic and operational risk from cyber security threats, right? So it's it's a bit more severe. I would say that Dora, the SEC isn't prescribing any technical standards by design.
[00:06:40] They don't want to know, right? Because if somebody gives them the info and they lose it, that can be used against these companies. Dora, on the other hand, is gonna prescribed technical standards for the ICT risk management and governance. Both regulations are similar. And that they bring management and the board into the mix [00:07:00] and put requirements on them to oversee, uh, the process for managing and assessing
[00:07:05] Rob Aragao: risk.
[00:07:06] Well, that's, I think those are the two big levers, right? That the SEC has taken, and obviously now, over in the EU with DORA is, is the interconnection point back into the board. And executive layer, right? Really kind of using that to push cyber security. Now, you talked about this a little earlier to that whole kind of change in the landscape of things that happened during covid and that you know, operational resiliency, I think, was pretty well understood.
[00:07:29] Cyber resiliency was was not right. And this this is helping drive the maturity of cyber resiliency in essence. So Would be helpful is for you to kind of share the the DWORI implementation framework, if you will, kind of just, you know, break it down on what the stages are, just so again, so people understand better and are educated in that kind of approach that you're thinking about
[00:07:47] Dominic Brown: taking.
[00:07:48] There's five main areas, right? There's ICT risk management and governance, incident response and reporting, third party risk management, information sharing. I'll try to go through these in detail, but. [00:08:00] Without being too incredibly boring. It's it is a it is a it is a, you know, a government regulation after all.
[00:08:08] But so the ICT risk management governance. So it goes back to involving the management team and the board to be responsible for ICT risk management and the implementation of the framework and the leaders can be held accountable and find are penalized for not Not complying with the regulations properly.
[00:08:31] More on the framework. So the framework firms are required to map ICT systems, identify critical applications and functions, document the dependencies around application, people and processes, and then do Continuous assessment of the framework and its capabilities to address cyber threats. And this is going to include scenario based impact analysis to see how specific scenarios [00:09:00] and disruptions might affect the business.
[00:09:02] Stan Wisseman: Just pausing you there. How would you, how would you differentiate that from business continuity planning? Where you identify those critical systems and the associated processes that support them and
[00:09:13] Dominic Brown: assets. It's very similar. Yeah, except it's focused on cyber security. So that brings us to the next piece of the framework is that firms also need to incorporate business continuity and disaster recovery in terms of cyber risk scenarios.
[00:09:30] So I think it's a very similar plan, right? You've got a D. R. Plan. You've got Business continuity plan. You need a plan to manage cyber risk. How are you going to identify those, deal with those, report on those and so forth. It's
[00:09:46] Stan Wisseman: just making sure that cyber security is part of those scenarios that you're planning
[00:09:50] Dominic Brown: for.
[00:09:51] Yeah, well put, right? It's, it's now. So I mentioned the disaster recovery and the business continuity and a big piece of this, [00:10:00] and this is where it gets really prescriptive, is that firms are expected to put in appropriate protection measures. So this is going to include policies and tools. So I think they're going to recommend types of tools like identity access management, SOAR, SEAM, you know, thrown in an acronym.
[00:10:19] I think they're going to get that. level of prescriptive.
[00:10:22] Stan Wisseman: Like Article 16, it looks like they, they call out use of static and dynamic testing of your applications, too. So, I mean, they don't necessarily say use those tools, but that's how you
[00:10:33] Dominic Brown: do it. Yeah. The technical requirements are in process. They've been submitted.
[00:10:38] They've been finalized. They're now being reviewed by the relevant authorities, and then they expect about a year from now that firms will need to implement them. Next piece. The second piece here is incident reporting. So firms are going to need to have a system for monitoring, managing, logging and [00:11:00] reporting ICT related incidents.
[00:11:03] Depending upon the severity of the incident, firms will need to notify if it's severe. They'll need to notify their clients, their partners and the regulators for critical incidents. There's three types of reports, one notifying the authorities An intermediate report on the progress toward resolving the incident and a final report analyzing the root causes of the incident.
[00:11:25] And this is actually very similar to what the SEC is recommending for Public companies in the United States uh, resilience testing. So firms are going to need to test their ICT systems once a year to identify strengths and vulnerabilities. The results and plans for addressing the vulnerabilities need to be reported to the EU and firms that play a critical role in the financial system will need to do threat led penetration testing every three years, and they're also going to need to do this with the third party providers.[00:12:00]
[00:12:00] Stan Wisseman: Can I just opine on the fact that I don't think these kind of point in time assessments are really as valuable as we once thought they would be? I mean, they identify gaps, right, at a point in time, but to do something once a year or a pen test every three years, I mean, that doesn't really help you with the continuous Evolution of the threat landscape we're experiencing.
[00:12:26] Right? I mean, so that continue, I think continues monitoring is, I'm not saying that I want to add to the door requirements, but as far as organizations. Concerned about maintaining their security posture. They can't rely on that kind of point in time
[00:12:42] Dominic Brown: frequency. No, no. I mean, a lot can happen in three years, as we know.
[00:12:48] Rob Aragao: Yeah. And continuous should just be included in general, right? We've had this conversation in the podcast and other topics in the past that it's like, you know, what happens back in the day of PCI audits. [00:13:00] People get prepared for those audits, right? They get, sometimes they get a pre audit. Here are the findings.
[00:13:03] We'll come back six, six months later to tell you, you know have you actually achieved the gaps and closed them that we've actually pointed out six months ago? It's like, great, but what's the point, right? So this whole aspect of really being continuous, I think is just, it's going to be critically important.
[00:13:17] Dominic Brown: And it's, it's, it's interesting. You, you mentioned that there is a continuous improvement is a pretty big piece of it, but it doesn't necessarily encompass. The resilience testing and, and probably some other aspects that, that are part of the regulation,
[00:13:35] Stan Wisseman: you know, again, we've had conversations on the podcast about the effectiveness of controls of security controls, right, Dom, and the fact that they erode over time.
[00:13:45] And so it's one of those things, again, you wouldn't want to wait a year. You want to have that, you know, I guess another question I have as far as just impact to. Enterprise architectures in the context of the financial sector. Do you, [00:14:00] do you, do you think, you know, Dora's technical requirements, I know it's in process, are going to have pretty dramatic changes to whether it be, you know, data management or IT infrastructure, cybersecurity practices.
[00:14:12] What do you think? Well,
[00:14:14] Dominic Brown: there's a, there's a third party risk element to Dora. That we haven't talked about yet, but what firms are going to need to do. We talked a little bit about it, but firms are going to need to oversee the risk with their cloud services providers. And they're also going to need to stipulate in the contracts, SLA's around cybersecurity contractual arrangements around cybersecurity that the regulators are going to stipulate and they won't be able to partner with.
[00:14:47] Companies that don't meet these standards and adhere to these rules. So I think that is going to influence enterprise architecture. And help
[00:14:57] Stan Wisseman: me understand that. Cause I mean, we've, we've been working under [00:15:00] this shared responsibility model with CSPs, right? And how, if, if you're, you're dealing with an ISA, you know, infrastructure as a service, the Amazons of the world take care of certain.
[00:15:13] Security controls in that context, and you are worried about the application, right? I mean, they're, they're, they're, but so are you saying that that model is possibly going to be changed or the contract are going to have to enforce on the CSP more responsibility?
[00:15:32] Dominic Brown: I think the responsibility is going to be.
[00:15:34] On both the cloud service provider, and I mean, it calls it right out in the regulation that the financial services firm is responsible for the risk management. The third party, say, Amazon, for instance, right? And this is going to be complicated because Amazon's not going to let you do a security audit of their infrastructure, right?
[00:15:57] A smaller vendor might, right? But I do think it's going to [00:16:00] result in less complicated architectures, because I think the more third party applications that you're using, more difficult it's going to be to manage the cybersecurity risk, as well as just the complexity in the contracts, right? I mean, if you think about it, the, you know, the fewer, Security models, sets of audit trails, access controls you got to deal with, the better off you're going to be, right?
[00:16:33] And I think for some business processes like M& A, investment banking, private equity, investment management software, things like that, I think vendors that can Provide the entire stack are gonna be at an advantage because it's just going to simplify it. And these lines of businesses, you know, they they're not [00:17:00] in the weeds when it comes to I.
[00:17:02] T. Right. So they're not. They're not looking necessarily at the Amazons of the world. They're looking for someone to solve a problem for a specific business process. So I think if you're a reasonably stable vendor that can provide the whole stack, I think I think you'll be an advantage. I think it's really going to be bad for Partnerships where there's a fourth party solution that you're going to deal with, right?
[00:17:24] I think, I think it's, it's going to tighten that all, that all up,
[00:17:30] Rob Aragao: you know, as you guys are talking about that, you know, the model of. The cloud providers and share responsibilities and that conversation to me at the end of the day, the end financial institution is still always accountable no matter what right?
[00:17:43] So they, they, they, and the CSP have shared responsibilities and how they actually secure and govern their systems applications and so on. But at the end of the day, it's always going to be pointed right back to the financial institution. Hence, Dora's penalty is going to be targeted right at. The financial institution that we've been talking about.
[00:17:59] So, [00:18:00] so Don, we've been talking about a lot of the behind the scenes and you talked and walked us through the stages within the kind of implementation framework, if you will, for Dora. So someone just kind of getting started, like where would you say is a good spot to begin and start kind of, you know, being able to evolve and mature and ensure you have, because a lot of what I'm hearing honestly, is, is the stuff that we should all be doing anyways, right?
[00:18:21] It's good hygiene, right? And it's, it's kind of like we go, well, yeah, of course, but the reality is, is we all know. Not everyone's doing this type of stuff. So again, kind of guidance from you, where would you start?
[00:18:31] Dominic Brown: Yeah. I mean, it's, it's the brushing and flossing for, for cybersecurity, right? I mean, I would just, I would look at the, I mean, the regulation is difficult to look at online because it's incredibly verbose, but I would get some distillation of the regulation and just.
[00:18:50] Look at what it recommends, right? So I begin dealing with the framework, right? If you don't have one built already, build the risk [00:19:00] management and governance team and start to implement the framework, right? A logical place to start would be to do a gap analysis of your cyber security capabilities. Invest to improve between now and 2025.
[00:19:10] In terms of incident management, you know, are you going to be able to report On incidents quickly and in a suitable format for the regulators. I think the actual format is going to come out with those technical requirements. It's probably a good time to automate incident management. I do a similar gap analysis on business continuity and disaster recovery, how it relates to cyber security.
[00:19:35] Obviously, implement awareness programs and training programs, and then map out your third party vendors, examine how you evaluate their capabilities in terms of cyber security, how you onboard them and think about things. You know, do they allow security audits on their systems? Do they have security search like Iso 27001?
[00:19:54] Do they, do they do SOC 2 audits? That type of thing? Are there fourth party technologies? In the [00:20:00] framework and then have a plan for capturing the lessons learned and using that information for continuous improvement. Well,
[00:20:06] Rob Aragao: Dom, hey, listen, we appreciate you coming in and talking about something that's still, you know, relatively kind of fresh in people's minds, getting a good education, understanding of what's to come.
[00:20:14] But the timeline actually is pretty short, right? Because they've got till January 2025. And here we are in February already. So there's a lot of work potentially to be done. I think you gave some great guidance also on, you know, going through and doing a gap assessment. In essence, so you can figure where are those areas to prioritize and start actually ensuring that you've got them locked down in a good spot before before the clock ticks.
[00:20:36] And here we are in January, the fines start coming your way. So thank you for coming on and sharing with everyone. Really
[00:20:41] Dominic Brown: appreciate it. Hey, my pleasure, guys. Happy to be here. Hey, thank
[00:20:44] Stan Wisseman: you, Dom.