The Digital Operation Resilience Act, also known as DORA, comes into force on 16 January 2023 and must be applied by all 27 EU member states from 17 January 2025. The goal of this European regulation? To harmonise cybersecurity measures for companies in the banking, investment and insurance sectors, as well as their IT service providers, and to unlock and enhance the opportunities for innovation and competitiveness offered by digital finance.
To improve their cyber security maturity and comply with these new regulations, companies can rely in particular on cyber risk quantification (CRQ). Citalid has developed a solution tailored to companies and insurance companies. Based on artificial intelligence and backed up by cyber and risk management expertise, it is a decision-making tool that contributes to the operational resilience of organisations through a contextual and financial approach to managing the risks associated with information and communication technologies.
In this article, we take a look at the obligations brought about by DORA and how the financial quantification of cyber risk can contribute to compliance.
Who is DORA for ?
Before going into the specifics of the Digital Operation Resilience Act and the measures you need to take to comply with it, it is important to mention the context in which this regulation was adopted. It is part of a package of measures taken by the European Union: since September 2020, it has adopted a new digital finance strategy, a new retail payments strategy and legislative proposals on cryptoassets and digital resilience. Cybersecurity is a current concern for the European Union, as other directives on the subject have recently been adopted, such as NIS2. The reason for this particular focus on the banking, insurance and investment sectors is clear from the very first lines of the regulation: “While the widespread use of IT systems and advanced digitisation and connectivity are now essential features of all activities of financial firms in the EU, digital resilience is not yet sufficiently integrated into their operational frameworks”.
Many companies will be affected by these new regulations. If your company falls into one of the categories below, you will need to apply the new measures and strengthen your security to comply from 2025:
- Credit institutions;
- Payment institutions;
- Electronic money institutions;
- Investment firms;
- Cryptoasset service providers;
- Central securities depositories;
- Central counterparties;
- Trading platforms;
- Central repositories;
- Alternative investment fund managers and management companies;
- Data communication service providers;
- Insurance and reinsurance undertakings, insurance intermediaries on an ancillary basis;
- Institutions for occupational retirement provision (IORPs);
- Credit rating agencies ;
- Administrators of critical benchmarks;
- Participative financing service providers.
However, this new regulation does not apply to micro-businesses.
New measures to secure the finance and insurance sectors.
First, ICT risk management systems must be put in place to comply with DORA. Information and communication technologies play a key role in the smooth operation of financial institutions. However, the text does not specify which systems must or must not be implemented. It does, however, specify that in the event of an incident, the management body will be held responsible. The intention is therefore to encourage companies in the financial and insurance sectors to improve their cybersecurity maturity and to involve their management in this process. This should be based on “ways to ensure the resilience of IT systems” and to protect “people and processes through a set of policies that create awareness of IT risk and a commitment to rigorous IT hygiene”, as specified in the DORA.
DORA also provides for the harmonisation of the notification of incidents related to information and communication technologies. The aim of this decision is to improve the transmission of information on these incidents and to assess their “cross-border” nature. Your company will have to follow a strict procedure for reporting incidents to the competent national authorities. You will also be able to voluntarily report cyber threats that you consider significant for your sector or your customers. The text also refers to the exchange of information on cyber threats between financial actors.
The new regulation will also require companies to carry out digital business resilience testing. The text stipulates that affected companies must test the most critical parts of their information systems at least once a year to identify their vulnerabilities.
Finally, under DORA, companies will be required to keep a register of concluded and ongoing contracts with third party service providers related to information and communication technologies. The aim is to ensure more effective management of the risks associated with these technologies. The text also encourages financial and insurance companies to carry out due diligence before entering a relationship and to include minimum standard clauses in contracts.
Know your risks to ensure compliance with Citalid.
Compliance with DORA will require companies affected by the regulation to acquire new reflexes for assessing, controlling, and communicating cyber risks. In this context, quantifying cyber risk can be an interesting and effective tool for companies. Implementing a new risk management strategy is a major investment, both financially and organisationally. An innovative solution such as Citalid can be the key to ensuring your organisation’s compliance.
What is Cyber Risk Quantification, sometimes abbreviated as CRQ? It’s a technique used to assess the likelihood of an incident occurring, the potential financial loss and business interruption, and the effectiveness of existing security measures in mitigating the risks. The aim of this approach is not to scare, but to learn more about the threat so that we can protect ourselves effectively.
DORA sets out the responsibilities of management teams in the event of a cyber incident. Until now, however, cyber risk has mainly been the concern of the company’s technical teams. This is because managing this risk requires specific knowledge and a precise vocabulary, making communication between IT teams and business management complex. Quantifying cyber risk solves this problem by providing reliable, easy-to-understand indicators for establishing dialogue and making the right cyber security decisions. Gartner’s latest research on the subject shows that this type of tool is mainly used as an aid to internal communication within companies. As cyber risk is first and foremost a financial risk, the platform developed by Citalid provides financial indicators to establish a common language within the company and help you implement your cyber risk management strategy.
The Citalid solution combines artificial intelligence with expertise in cyber security and risk management. It is based on FAIR (Factor Analysis of Information Risk) technology, which allows risk to be assessed by correlating different factors to define the frequency of attacks and the cost of their success. At the same time, our team of cyber threat intelligence experts monitors nearly 700 cybercriminal modus operandi to analyse and contextualise a constantly evolving threat. All of this data is used to create more than 1,000 attack scenarios to provide a comprehensive simulation of the risks involved. On average, the use of our tool leads to a 30% reduction in financial exposure and an 8% increase in defence maturity, thanks to a personalised investment roadmap. We can therefore provide you with a reliable view of the impact of your organisation’s security investments on its financial exposure to cyber risk, enabling you to build your risk management strategy.
The tests required by the DORA regulation are an integral part of the new strategy that your company must adopt. Citalid can help you in this process, as our platform is designed to provide a financial reading of the company’s critical assets in the event of a cyber attack. What’s more, our tool can also help you analyse the risks posed by your IT service providers. In fact, we enable you to rank your service providers according to the cyber risks they pose to your business, and our platform takes your suppliers into account in the attack scenarios that are proposed to you. With these elements in place, you can create an appropriate business continuity and recovery plan to manage your cyber risk with complete peace of mind.
More specifically, within the framework established by DORA, Citalid is a tool designed to help you understand and control your cyber risk in order to facilitate your company’s compliance. As part of your compliance process, your company may need to adopt new cyber security solutions. Citalid measures your return on investment. To do this, our platform provides its users with indicators to help them make informed decisions: assessment of the financial impact of cyber incidents, the budget required to ensure the cyber security approach, and the risk borne by third-party information and communication technology service providers. Finally, the platform gives you a better understanding of cyber risk, so you can more effectively report threats to regulators and take appropriate action to reduce your exposure. Our solution is suitable for financial institutions and insurance companies, as demonstrated by our partnership with Zurich Resilience Solutions and the trust placed in us by Relyens and Allianz.
So why not give Citalid a try? Request a demonstration here.