Some thoughts on DORA for you, which is bound to have an effect on cyber insurance, both in terms of rates and the level of monitoring that insurers are probably going to have to carry out as part of the quote and renewal process;
In just over a week, the European Union’s (EU) latest major cybersecurity mandate, the Digital Operational Resilience Act (DORA), will come into effect. By 17th January 2025, all financial institutions and their technology providers operating within the EU must meet DORA compliance standards. Crucially, this regulation doesn’t just apply to EU-based organisations – it also impacts businesses providing services to customers in the EU. DORA is designed to ensure the operational resilience of financial services, forming part of a broader series of EU legislative efforts to harmonise and strengthen cybersecurity across the region.
With the compliance deadline fast approaching, Nic Sarginson, Principal Solutions Engineer at Yubico, highlights the risks of non-compliance and explores how integrating multi-factor authentication (MFA) aligns with the regulation’s goals:
“Non-compliance with DORA could have significant repercussions for financial firms and their technology providers. Although specific penalties haven’t been outlined, it’s likely that fines will be proportional to the severity of the breach – much like GDPR. In severe or repeated cases, authorities may even suspend or terminate contracts. However, the financial consequences are just one aspect, as organisations that fail to comply also risk serious reputational damage and a loss of trust from customers and partners, which can be extremely difficult to recover from in this industry.
“While DORA doesn’t explicitly mention MFA, it mandates the implementation of strong authentication policies and protocols as part of its overarching goal to bolster cybersecurity in the financial sector. MFA plays a pivotal role in digital operational resilience by significantly reducing the risk of cyber incidents and attacks. For financial institutions, adopting MFA aligns perfectly with the directive’s objectives, enhancing both customer protection and the security of critical financial infrastructure. However, it’s important to note that not all MFA solutions are created equal. Legacy methods, like SMS-based one-time passcodes (OTPs), are increasingly vulnerable, with phishing attacks easily bypassing these systems. To truly safeguard against stolen credentials and advanced threats, businesses must prioritise modern, phishing-resistant MFA tools, like passkeys – including physical security keys.
“Achieving DORA compliance isn’t an overnight task. The regulation’s broad scope, which includes requirements for incident reporting and third-party risk management, demands ongoing effort and meticulous planning. Nevertheless, prioritising cyber hygiene and strong authentication practices will not only ensure compliance but also support a culture of cybersecurity excellence, redefining how enterprises approach resilience and risk management.”
Be the first to comment