Intelligent CISO Issue 83 | Page 72

end-point

ANALYSIS

MANAGING THE THIRD-PARTY BLINDSPOT FOR DORA

Andre Troskie , EMEA Field CISO at Veeam , says DORA compliance won ’ t prevent every threat but ensures you can prove readiness and recover swiftly from cyberattacks .

The financial service industry is no stranger to stringent regulation . Unlike other sectors that have scrambled to comply with legislation such as NIS2 , FS organisations are comparatively pretty diligent when it comes to data resilience and cybersecurity . Having operated under some of the strictest regulatory standards for some time , for most , DORA compliance should be manageable – for internal operations that is .

Despite the confidence that many FS organisations likely have in their ability to comply with DORA audits and reporting , they can ’ t afford to take their eyes off the ball . DORA compliance extends beyond internal procedures , covering third-party service providers as well . It ’ s here where most organisations risk tripping up in the initial stages of DORA enforcement . With consequences ranging from significant fines to brand and reputational damage , it ’ s an issue that organisations can ’ t afford to overlook .
Well prepared ?
Unlike other sectors that also have to comply with NIS2 , financial services organisations by necessity are typically further ahead of the curve when it comes to regulatory compliance . For many , DORA ’ s requirements will have been about building on ( and proving ) the strength of the foundations already in place . The main focus on DORA for financial services will likely instead be on operational resilience testing , ensuring internal awareness of different scenarios and their risk impacts .
Most financial institutions and banks will have felt confident in their scenario-based testing and , by extension , their compliance with DORA when the deadline passed this January . And if the scope of DORA didn ’ t cover beyond internal organisation compliance , they would be right . Unfortunately for most , DORA extends to cover all of an organisation ’ s third parties and supply chains – creating the risk of a pretty large potential blindspot .
Time to put the work in
Financial services organisations can do all the work they want ensuring internal compliance to DORA but unless their third-party and supply partners are also compliant , they will fail regardless . And these are no small stakes . According to EY ’ s Global Third-Party Risk Management Survey , in the US alone , 98 % of financial services organisations have partnerships with third-party vendors . Although they may not realise it , third parties are one of the biggest risks to FS organisations when it comes to DORA compliance .
72 WWW . INTELLIGENTCISO . COM