In my CISO Collective blog from last spring, I wrote about how the Council of European Union Presidency and the European Parliament had reached a provisional agreement on the Digital Operational Resilience Act (DORA) to improve the cybersecurity of financial institutions in Europe. The expectation that it would be passed into law by each EU member state by the end of this year has been met.
Now that DORA has been adopted by the EU Council, financial firms will be required to ensure that they can withstand, respond to, and recover from all types of information and communications technology (ICT) disruptions and threats with the ultimate goal of preventing and mitigating cyber threats. The regulation will take a differentiated approach to the regulation of small, micro-, and interconnected entities.
The European Supervisory Authorities (ESAs) namely the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA), and the European Insurance and Occupational Pensions Authority (EIOPA)—will develop the “technical standards for all financial services institutions to abide by.” Also, critical third-party ICT service providers—mostly cloud providers to financial entities in the EU—will be required to establish a subsidiary within the EU for proper oversight, and auditors will be involved in future reviews of the regulation.
The new law will compel FSI companies in the EU to test their resilience—which is basically, managing the risks and using the risk governance framework to make sure that their organizations are meeting DORA’s demands. Therefore, I recommend all FSI CISOs consider engaging with cybersecurity vendors and partners that are fully up-to-speed on DORA.
As we come to the end of 2022 and plan for 2023, I’d like to offer some more tangible advice for FSI organizations. If you’re a CISO in financial services, you need to understand that 2023 will not be just like 2022—big shifts are happening and cyber risk is increasing.
We’ve been seeing an increase in ransomware, and this is top of the mind for all organizations, not just financial organizations. Traditionally, the financial services industry (FSI) mindset is: “Oh, no, we don't want any risk.” It was all about protection and detection. But this isn’t realistic given the nature of cyber risk today.
FS CISOs need to understand the rapidly changing threat landscape and focus on being more resilient. This means an FSI strategy has to shift from trying to avoid all risk to actually being able to bounce back quickly following an attack as well. This will naturally lead to investment in platforms that enable functionalities that include endpoint detection and response (EDR), extended detection and response (XDR), and security orchestration, automation, and response (SOAR).
Another 2023 issue CISOs at financial organizations need to be thinking about is the growing trend of embedded finance.
What is embedded finance?
“Embedded finance is the process of integrating all financial services in one place rather than dealing with traditional entities. It offers a secure, simple, and efficient way to bundle all the services a retailer might use into one, easy-to-manage model. Financial solutions can be integrated into a business’ infrastructure, streamlining access to financial services such as lending, insurance, or payment processing without redirecting people to third-party destinations. It means fewer apps to deal with, fewer people handling money, fewer things to worry about, and less time spent keeping up with financial logistics. Interest in this sector has grown rapidly in the last few years. In 2020 the US embedded finance market reached $22.5bn and is expected to grow tenfold to $230bn in 2025.” — NCR, August 8, 2022
In the world of 2023 and beyond, finance is going to become more pervasive. For example, consider embedded finance—where non-traditional organizations are using finance products for “by-now-pay-later” selling. This method grows sales but also increases the risk for organizations.
Embedded finance is facilitated by banking-as-a-service (BaaS) and application programming interface (API) technologies. It is expected to generate more than $25 billion in annual revenue for banks by 2026 and could shift 25% of incumbent banks' small and medium-sized enterprise revenue to embedded channels by 2025. (Embedded Applications: New Revenue and New Risks for Banks (garp.org))
For 2023 and going forward CISOs in FSI will need to pay particular attention to the following points:
Creating a risk register can help a financial organization in several ways. First, it can provide a clear and comprehensive view of the risks facing the organization, including their potential impact and likelihood. This can help the organization make informed decisions about how to manage these risks and prioritize its efforts—especially going into 2023. FSIs will need to prioritize investments and having a risk register will help CISOs make better risk decisions.
Second, a risk register can help a financial organization improve its regulatory compliance by ensuring that it has a complete and accurate picture of its risks and the actions it is taking to address them. This can be particularly important for financial organizations, as they are subject to a range of regulations that require them to manage their risks effectively. And this ties to the need of using automation to save costs. FSIs are tinkering with how to do compliance as code so they can automate one of the most laborious and cost-ineffective parts of the organization
Third, a risk register can help a financial organization identify trends and patterns in risks over time, allowing it to anticipate and prepare for potential future risks. This can help the organization be more proactive in its risk management efforts and reduce the likelihood of unexpected events or incidents. Connecting with a partner or vendor that provides constantly updated threat intelligence would be wise.
Overall, a risk register can be a valuable tool for FSI organizations, helping CISOs manage their risks more effectively and improve their overall risk management processes.
While the adoption of DevSecOps does require investments in technology and automation, it is not just about technology. A successful DevSecOps strategy also involves a strong focus on awareness and training. This includes educating all employees on the importance of collaboration, continuous delivery, and cybersecurity—and providing them with the training and support they need to effectively carry out their roles.
Financial services organizations must also implement processes and technologies that support collaboration and continuous improvement and must be willing to invest in ongoing training and development to ensure that their teams have the skills and knowledge they need to succeed. Overall, the adoption of DevSecOps requires a combination of technology, awareness, and training to be successful.
Awareness is important because technology alone is not going to make it. FSI organizations need to start training people on DevSecOps, AI, machine learning, and API security. For example, Fortinet is committed to helping close the cyber skills gap and raising cyber awareness through our TAA initiative and Training Institute programs.