In 2008 as the global financial crisis started to bite and giants like Lehmans and Bear Stearns collapsed owing billions, the world learned rather painfully that the ‘high level of interconnectedness across financial entities, financial markets and financial market infrastructures’ constituted a systemic vulnerability.
The Financial Crisis Inquiry Commission (FCIC) looked into the causes of the crash. The FCIC reviewed ‘millions of pages of documents, interviewed more than 700 witnesses, and held 19 days of public hearings’. With an abundance of evidence their findings are not in dispute. They concluded in their report that this crisis was foreseeable and indeed had been foreseen. Warnings were ignored. It was they reasoned the ‘result of human action and inaction’. They also concluded the captains of finance…ignored warnings and failed to question, understand, and manage evolving risks’1.
Credible warnings ignored
In 2004, the FBI held a news conference at their headquarters in Washington, D.C., warning about high levels of mortgage fraud, when Chris Swecker, an assistant director, said ‘it has the potential to be an epidemic’2. A full four years in advance of the collapse, a credible warning was issued by trusted experts. Surely, warnings from the FBI wouldn’t be ignored again.
The relevance of the ignored warnings strikes me as particularly important in today’s world. After all, would management really ignore the warnings from credible, trusted intelligence agencies? Would it not be the case that management would learn the lessons from the financial crisis.
Fast forward to September 2019
On the 10th of September 2019 the FBI’s reporting unit Ic3 issued a public service announcement calling Business Email Compromise (BEC) the $26 billion scam3.
Similarly, in the UK, the National Cyber Security Centre (NCSC) which is part of GCHQ, have taken the trouble to warn and educate industry that phishing/BEC is one of the most significant cyber threats. Other credible sources, albeit private endeavours, estimate that 70% of data breaches and 90% of ransomware attacks begin with a phishing/BEC attack. The scale of this problem cannot be overstated.
Given that BEC is a well known, significant cyber threat you might suppose, nearly ten years after it was devised, that businesses would have universally moved to adopt DMARC, the global industry standard protocol considered layer 1 protection to defend against it.
You would be only partly correct. Large global banks did indeed move swiftly to implement DMARC and ensure that they were able to secure their domains from email impersonation. However, smaller regional banks have been less disciplined about deploying DMARC and other fundamentals of cyber security. This however is about to change. Meet DORA.
DORA, not who, what.
DORA stands for Digital Operational Resilience Act; it is the EU proposal to tackle digital risks and build operational resilience in the financial sector.
DORA exists because the reforms that followed the 2008 financial crisis did not extend to mitigating cyber risks. It is recognised that this failure to address this risk poses a challenge to the ‘operational resilience, performance and stability of the EU financial system.’.
The absence of detailed comprehensive rules has seen member states seek to address and resolve this individually, which has led to a layer of complexity resulting in ‘overlaps, inconsistencies…high administrative and compliance costs’. DORA addresses that.
DORA applies to financial entities, from banks i.e. credit institutions to investment & payment institutions, electronic money institutions, pension, audit firms, credit rating agencies, insurance and reinsurance undertakings and intermediaries4. Beyond that it also applies to providers of digital and data services, including providers of cloud computing services, data analytics, & data centres.
DORA – what is it good for?
It should go without saying that I’m already a huge fan of DORA. It runs to 102 pages and so much of it is sensible, valuable and inarguable. The upsides are considerable, these immediately sprang to mind:
- By providing a definition of ICT risk, the financial sector will have much needed clarity. ICT risk is ‘any reasonably identifiable circumstance in relation to the use of network and information systems.’ This means that warnings issued by credible agencies, like the FBI or NCSC will need to be addressed. Starting with the most significant cyber threats and working down through the known risks can only serve to strengthen the financial services sector protecting the sector, investors, clients and consumers. Warnings cannot be ignored.
- It creates an impetus for producing new policies to address the need for an accelerated process for known ICT risks. It could be that FE’s will create a fast lane for ICT risks so that the time between awareness of an ICT risk and the deployment of solutions is reduced. Whatever happens: warnings cannot be ignored.
- It specifically calls out the importance of the NIST Cybersecurity framework. It reads:
‘Inspired by relevant international, national and industry-set standards, guidelines, recommendations or approaches towards the management of cyber risk,* this Regulation promotes a set of functions facilitating the overall structuring of the ICT risk management.
NIST is referenced in the footnote. It goes on to recognise that other standards are permissible provided they meet the conditions set out in the Regulation but for my money and what it’s worth, when a standard is called out, there is no downside to abiding by it, only considerable upside. Best practice cannot be ignored.
- The requirement to manage 3rd party risk means that FE’s must be able to exit contractual arrangements without disruption to their business activities. DORA will eliminate the commercial stickiness that arises when a vendor truculent that their service is no longer required is able to punish the client by disrupting their business with lengthy and messy exits.
This is fantastic news. This provision alone will allow FE’s to consign old, clunky products no longer fit for purpose to the delete bin. They can no longer be held captive by outdated kit and this allows the financial sector to access stronger, smarter, more robust solutions.
- Financial Crisis Inquiry Report, Final Report of the National Commission of the Causes of the Financial &Economic Crisis in the United States. Official Government Addition, January 2011. Available to download from https://www.govinfo.gov/content/pkg/GPO-FCIC/pdf/GPO-FCIC.pdf
- For a fuller list check out Chapter 1 General Provisions Article 2. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52020PC0595