The critical risk in DORA financial regulations

Navigation

Share

Supply chain attacks are a growing concern, particularly within the financial sector, with attackers increasingly using key technology suppliers as a ‘jumpbox’ to pivot into their intended target organisation.

Last year’s MOVEit breach for instance saw a single ICT supplier ultimately cause ~2,356 organisations to be compromised, with primary victims predominantly in the financial sector. It’s no surprise then that two lengthy technical advisories were since required to clarify precisely how financial sector organisations need to manage their critical ICT third-party providers ahead of DORA regulation’s go-live date in January 2025.

Excessive info has left some unclear about their preparedness for DORA. While our 5-point checklist below helps to simplify the latest guidance, it is important to remember that a tick-the-box approach is limited. What’s essential is how organisations can leverage DORA to implement the solutions and processes that genuinely improve their security posture.

For instance, DORA’s expansive Monitoring and Reporting requirements present a wide remit for organisations to substantially reduce their exposure to the threats created by supply chain partners. However, organisations who opt for an automated ‘vendor risk management’ solution or basic MVS service as coverage are barely scratching the surface. As entities found to be in violation face fines of up to 2% of their total annual worldwide turnover or, in the case of an individual, a fine of up to €1,000,000, the stakes are pretty high.

Our 5-point ICT supplier management checklist

Thankfully, your organisation likely has many of DORA ICT supplier requirements covered by existing governance, risk and compliance processes to an extent. The main challenge will be maturing your processes for onboarding, policies, and procedures whilst ensuring continued diligence over time.

Additionally, most responsibilities only require point-in-time action. With an organised schedule and clear supplier communication, requirements 1-4 outlined below can be easily amended and updated in-house. On the other hand, the aforementioned Requirement 5 – Monitoring and Reporting – will likely require external support for many organisations.

Key Requirement ActionsTypically Accountable Key Actions
Periodic Action Required (Annual/Quarterly/Monthly)
Develop a Risk Management Framework
Legal,
Risk & Compliance Operations.
Develop and regularly update a comprehensive ICT risk management policy.
Outline procedures for engaging with and managing third-party ICT service providers.
Include criteria for selecting providers, the types of data they can access, and the security standards they must meet.
Conduct regular training sessions for stakeholders on risk management policies.
Schedule quarterly reviews to update and refine the risk management framework based on new threats and regulatory changes.
Conduct Due Diligence and AssessmentsLegal,
Procurement,
Risk & ComplianceOperations.
Implement a thorough vetting process for evaluating security practices, data handling procedures, and compliance track records of potential third-party providers.
Conduct security audits, review Service Level Agreements (SLAs), and assess providers’ compliance with relevant regulations.
Develop a checklist of security and compliance criteria for vendor assessments.
Schedule annual security audits and SLA reviews for all key ICT suppliers.
Update Contractual ArrangementsLegal Team, Operations ManagementWork with legal and compliance teams to ensure that all contracts with ICT providers include clauses that mandate adherence to security requirements, data protection standards, incident reporting protocols,
Ensure contractual obligation to allow regular audits and compliance checks.
Draft standard contract clauses that can be easily integrated into supplier agreements.
Review and update contracts annually to reflect new security requirements and regulatory changes.
Ensure Incident Management and Business Continuity Processes are sufficientRisk & ComplianceInternal IT Security
Third Party Security provider
Require third-party providers to demonstrate their incident response capabilities and business continuity plans during the due diligence phase.
Regularly test these plans in conjunction with the entity’s internal strategies to ensure seamless operation and quick recovery in the event of an incident.
Develop incident response and business continuity testing protocols.
Schedule semi-annual joint testing exercises with third-party providers to ensure preparedness.
Continuous Action Required
Expand Monitoring and ReportingRisk & Compliance, Internal IT Security or Third Party Security.
Establish monitoring mechanisms such as regular performance reviews, real-time security monitoring, and compliance audits.
Set up automated alerts for any breaches or anomalies, and maintain a transparent line of communication with the provider for timely reporting of potential issues
Schedule monthly performance reviews and quarterly compliance audits with key ICT suppliers.

For requirements 1-4, having delegated responsibility appropriately, the relevant personnel can create or amend existing policies and procedures and ensure they are updated on a regular basis over time (typically quarterly or annually).

Beyond that, continued due diligence on the part of your legal, operations, or risk and compliance personnel is critical. Periodic security audits and SLA reviews of your key ICT suppliers will ensure that you do not suffer the consequences of DORA non-compliance.

One major aspect of note – ‘Monitoring and Reporting’ – requires technical security operations that not all organisations will have in-house. Moreover, how closely and how ‘continuously’ one can feasibly monitor and interact with their suppliers will be uncharted territory that will be vitally important for compliant organisations to conquer.

What constitutes ‘continuous monitoring’

In the context of ICT supplier risk management, ‘continuous monitoring’ makes up for the limitations of standard due diligence by incorporating real world evidence of a supplier’s exposure on the public internet. Attackers will exploit any information available and, over time, suppliers inevitably expose ‘shadow IT’ and sensitive personal or company information.

There is a crucial distinction between the array of risk management solutions available to combat this issue. Take some ‘vendor risk management solutions’ for example that provide a subscription service for point-in-time snapshots of organisation’s hypothetical exposure via a risk rating methodology and client dashboard. While this may be helpful for insurance companies quickly assessing organisations on the spot, periodically checking your supplier’s risk rating does not constitute continuous monitoring.

Solutions like Managed Vulnerability Scanning (MVS), for example, may surpass static, point-in-time risk ratings by providing evidence of supplier vulnerabilities, yet MVS is limited by its reliance on automation which misses nuanced, complex threats and lacks the contextual analysis provided by human-led approaches. On the other hand, human-led monitoring services utilities offensive security professionals who adopt an attacker’s perspective. By continually monitoring both an organisation and its critical ICT supplier’s cumulative attack surface for exposed assets and potential vulnerabilities this offers a level of security depth automated services cannot achieve.

Consider the breadth of information available. From sensitive info unintentionally published by suppliers’ developers on GitHub, publicly accessible management services, outdated software, or misconfigured servers. With such a range of issues to remedy, critical exposures are often left unaddressed as a lack of prioritisation leads to inaction.

While many solutions can provide data feeds, assets domains, and utilise AI to expedite threat research, the onus must be on security professionals to prioritise truly critical risk. More comprehensive solutions, such as Continuous Attack Surface Management, provide real-time notification of critical threats and reporting guidance when key ICT suppliers have elevated exposure. However, it is essential that the service can prioritise only a select number of truly critical, organisation-specific risks.

Generic solutions that identify hundreds of vulnerabilities may sound impressive but they typically fail to assess exploitability within an organisation’s environment. There is simply no point in organisation’s ingesting volumes of data in an attempt to monitor suppliers, only to find themselves overwhelmed, unable to remediate, misappropriating risks, and ultimately less well equipped to respond when a key ICT supplier suffers a critical vulnerability or zero-day. It’s far better to have ten truly critical ‘must fix’ vulnerabilities to swifty remediate than a long list of security issues that leave you constantly chasing your tail.

A framework for ICT supplier reporting

As stretched security teams play catch up to emerging threats by default, DORA’s insistence on greater collaboration around mutual exposures, vulnerabilities and threat intelligence (TI) aims to materially enhance incident response capabilities.

Again, DORA’s technical specificity and the lack of precise definition on the types of incidents that must be reported, timelines, communication methods and protocols has caused concern for some. But as with any compliance-driven requirements we should remember – DORA provides a framework to uplift security but it’s up to each organisation to select the processes that fits to their business-critical operations.

To enhance your organisation’s response capability whilst providing compliance, a collaborative reporting framework is key. The following steps present an adequate starting point for continued collaboration:

  • Establish Clear Communication Channels – Set up clear and effective communication channels with your suppliers for reporting security incidents. This includes defining the types of incidents that must be reported, the timeline for reporting, and the method of communication.
  • Define Incident Response Protocols – Develop and agree upon incident response protocols with your suppliers. These protocols should outline the steps to be taken in the event of a security incident, including roles and responsibilities, escalation procedures, and coordination with internal and external stakeholders.
  • Regular Reporting and Updates – Ensure that suppliers provide regular updates on their security posture, including any detected vulnerabilities, incidents, and remediation efforts. Periodic security reviews and audits should be conducted to verify compliance with agreed-upon security standards.
  • Prioritise Collaborative Threat Intelligence Sharing – Promote a culture of collaboration by sharing relevant threat intelligence with your suppliers. This includes information about emerging threats, indicators of compromise, and best practices for mitigating risks. Encourage suppliers to reciprocate by sharing their threat intelligence insights.
  • Pursue Continuous Improvement – Continuously assess and improve your reporting framework based on feedback and lessons learned from security incidents. Regularly update your incident response plans and protocols to address new threats and vulnerabilities.

Once a clear process is established, the resulting supplier reporting data and insights, combined with continuous monitoring (i.e CASM) should be integrated with your organisation’s Security Operations Center (SOC) or external Managed Detection and Response (MDR) service where possible to enhance response capabilities.

A final note. Historically, overly prescriptive compliance requirements have restricted the better judgement of organisations and cybersecurity practitioners, as we have seen with previous FISMA and NYDFS reforms. DORA’s flexibility is a real advantage. Organisations can benefit from the sufficiently broad remit to address critically under-resourced risks that cause substantial financial impact and, in the current threat landscape, supply chain attacks should be a top priority.

Share

Sean Muran

Sean Moran

Sean is a cyber security researcher and writer with a particular interest in the impact of geopolitics and ransomware extortion within the cyber security industry.

Talk to our team and learn how we can support your challenges

Scroll to Top