On December 14, 2022, the European Parliament and Council approved the Digital Operational Resilience Act (DORA), set to take full effect by early 2025. The Act, first presented by several European industry commissions and oversight bodies, sets new cybersecurity standards for financial institutions operating and doing business in the European Union (EU). The regulation centers on financial institutions’ reliance on information and communications technology (ICT), and the systemic risk that the use of ICT poses. Further, the DORA acknowledges that previous regulations haven’t gone far enough to protect the financial sector, its customers, and the interconnected entities that support daily operational functions for financial services firms.
The regulation, therefore, creates standards and a set of practices that must be followed by every financial institution in the EU (including companies in peer-to-peer finance, securities, insurance, trading, lending, and credit services) in order to holistically address cyber vulnerabilities and threats. The ultimate goal is to effectively decrease the likelihood of a successful cyber attack that results in organizational or industry disruption.
A bit of background
Like the National Cybersecurity Strategy set forth in the U.S., the DORA focuses on digital resilience rather than specific vulnerabilities or threats. In doing so, it places an obligation on CEOs and their executive teams to define cybersecurity strategies at the highest level. This helps accomplish what many cybersecurity practitioners have wanted for so long: the recognition that poor cybersecurity practices threaten the strategic, operational, and financial health of entire organizations, as well as (potentially) the organization’s partners, providers, and customers. It’s the ultimate “seat at the table” for cybersecurity.
As stated in the law, DORA “aims to consolidate and upgrade ICT risk requirements as part of the operational risk requirements that have, up to this point, been addressed separately in various Union legal acts.” It further explains that “A Regulation helps reduce regulatory complexity, fosters supervisory convergence and increases legal certainty, and also contributes to limiting compliance costs, especially for financial entities operating across borders, and to reducing competitive distortions.” This risk-focused approach significantly advocates for greater processes throughout organizations rather than leaving security to just the security team.
Key elements of the Act
To achieve digital resilience and meet the requirements of the DORA, the regulation outlines five key areas:
- ICT risk management
- ICT incident reporting requirements
- Digital resilience testing requirements
- ICT third-party risk management
- Information sharing and ongoing learning
Within those pillars, there are numerous sections that focus on how financial institutions can tactically and strategically achieve the above requirements, including:
- Governance protocols
- Risk management frameworks
- Identification, protection and prevention, detection, response and recovery
- Backup policies
- Harmonization of tools and technologies
CAASM’s role in the DORA
If there is one thing at the heart of every one of these areas, it’s that an entity must have a complete and reliable way to identify all deployed assets and manage their associated security states to achieve the requirements of the regulation and therefore organizational resilience.
Section II, Article 8 of the DORA is titled “Identification,” and emphasizes the need for an asset inventory. Under this Article, financial institutions must:
- Identify, classify, and adequately document all ICT assets, the role they play in the ICT ecosystem, and all assets’ dependencies. This assessment is in service of identifying cyber risk and must be reviewed on a “regular basis,” and at least yearly.
- Identify all sources of ICT risk, including third-party risk from other assets, cyber threats, and cyber vulnerabilities that would impact business functions. These risks must be reviewed on a “regular basis”, and at least yearly.
- Perform a risk assessment for each major change in the network and information system infrastructure, in the processes or procedures affecting their ICT supported business functions, information assets, or ICT assets.
- Identify all assets, including those on remote sites, network resources, and hardware equipment. Further, financial firms must map critical assets in the network, their dependencies, and their configurations.
- Identify and document all processes that are dependent on ICT third-party service providers, and must identify interconnections with ICT third-party service providers that provide services that support critical or important business functions.
- Maintain relevant asset inventories and keep them updated to account for any major network changes.
- Perform regular risk assessments on all assets, including all legacy systems, before deploying any new technology, application, or system.
Systemic attack surface reduction
This is what cyber asset attack surface management is all about, and why CAASM, or cybersecurity asset management tools, are a must for all organizations. These tools effectively reduce the cyber attack surface by systematically identifying all assets and their security posture, allowing for deep analysis of asset-related risk, and providing a way for organizations to prioritize and remediate asset-related risk. CAASM achieves these goals using automation, reducing the time, effort, and accuracy necessary to understand cyber risk.
A robust cybersecurity asset management solution, like Axonius, allows financial organizations to comply with the DORA by continuously identifying:
- All assets deployed in their environment/internal networks
- All assets used and accessed via external networks (SaaS applications and services)
- Third-party, connected assets
- How assets relate/map to each other
- The security state of each asset
- All asset-related vulnerabilities (CVE, misconfiguration, non-compliance with policies)
- How any compromised asset could impact organizational resilience
The Axonius solution
It’s important to note that not all CAASM or cybersecurity asset management solutions are created equal. The strength in the Axonius solution lies not only in its automated asset and vulnerability discovery and mapping. But Axonius, compared to other commercial tools, has the largest adapter network (i.e., pre-built technology integrations) and offers the most reliable and actionable asset data correlation. What this means is that, for every asset, Axonius customers will know the asset’s true security state and that they won’t be dealing with duplicate assets. Customers can simply and easily investigate assets (via the easy-to-use Axonius Query Wizard) for any cyber risk-related problems.
Further, Axonius allows for automated risk remediation via the Enforcement Center, which provides 125+ remediation actions, aiding in ICT risk management.