Over the past few years, IT and cybersecurity experts have learned that to survive and thrive in our ever-growing and ever-more-precarious digital world, individuals and organizations need to be more resilient. The ability to prevent cyberattacks, bounce back from hacker mischief or intrusions, keep important data safe, and maintain operations is an absolute necessity. In short, resiliency in the digital age is a must.
In response to the demand to be more resilient and better prepared, the European Union (EU) has an initiative called “Europe - Fit for a Digital Age.” EU officials believe it is time for the Union to fortify itself and better protect its critical industries from cyberattacks as the world continues digital transformation and geopolitical adversaries launch more virtual acts of aggression (ransomware, malware, DDoS attacks, etc.).
To support this initiative, the EU has identified critical sectors and is developing and enacting major regulations for the organizations within each sector. One of the Union’s critical sectors is the financial service industry (FSI) and a specific directive has been created for it called the Digital Operational Resiliency Act (DORA). (For more details, read my earlier blog post titled: Helping Financial Institutions Navigate the EU's Digital Operational Resilience Act.)
DORA is one of the EU’s first regulations created for a specific vertical. The impulse behind the Fit for a Digital Age initiative is the same driving force that’s behind DORA’s creation. It was specifically tailored for improving cybersecurity in financial services. DORA is attempting to harmonize risk management across all the Union’s FSIs. Its successful implementation will be used as a guide for regulations in other critical sectors that includes energy, transportation, healthcare, water management, digital infrastructure, public administration, and more.
In fact, great progress is being made by the EU as recently its “Council presidency and the European Parliament reached a political agreement on a resiliency directive of critical entities. Work will now continue at [the] technical level to finalize the provisional agreement on the full legal text.”
The new directive focuses on reducing vulnerabilities and strengthening the physical resilience of entities that provide vital services to EU citizens and organizations. These critical entities need “to prepare for, cope with, protect against, respond to and recover from natural disasters, terrorist threats, health emergencies or hybrid attacks.”
Also under the banner of “Fit for a Digital Age” is the EU’s Council and the European Parliament recently agreed upon cybersecurity directive that’s horizonal in nature. It is designed to improve the resilience and incident response capacities across all the EU’s public sector and private industry organizations. This new network and information systems directive known as NIS2 replaces an existing directive and calls for better risk and incident management cooperation. It does this by setting a baseline for cybersecurity risk management and reporting across all the digital infrastructure sectors.
As digitalization speeds up and geopolitical tensions grow, NIS2 offers a regulatory framework and codifies the minimum rules for organizations to follow. It compels enterprises to meet stricter cybersecurity requirements to better handle cyberattacks. The new directive also encourages cooperation among authorities in each EU member state and outlines how the new rules will be enforced.
Another initiative that ties closely to the EU’s resiliency efforts is brand new. It’s called the EU Cyber Resilience Act and it’s recently been opened for public and private industry input. As digital players becoming more ingrained into its citizens lives, the EU will require these organizations to have a minimum level of cybersecurity. The open consultation will provide organizations and citizens with an opportunity to provide ideas and feedback—and express their feelings about the proposed act.
This is a very important development because it will impact Fortinet and other companies that provide security products, digital solutions, and technical services. The trend is very likely to continue into the next few years or so. I expect that the EU will soon have regulations that require all digital players to have a minimum level of cybersecurity.
The point of most of the regulations coming is to set a standard framework on how EU organizations—and organizations that do business with the EU—will need to report and manage cyber risks. Ultimately, those who are responsible for overseeing and testing the resiliency of organizations will have a “stick approach” to compliance and levy fines against organizations for not adhering to the new regulations.
Developing resiliency is a key part of these “Fit for the Digital Age” efforts. Often individuals look at regulations as obstacles or challenges, but improved resiliency is for the greater good of Europeans and, perhaps, everyone worldwide. Organizations may also see the new regulations as hurdles and extra work and expense, but most understand the need for resiliency because within the EU there is systemic risk as every FSI organization is interconnected.
From an FSI perspective, DORA is blazing a trail for other nations. Since the EU’s announcement of DORA last year, in the United States’ Security and Exchange Commission (SEC) has proposed cybersecurity rules for “third-party” financial services companies. In a February 2022 press release, the SEC states, “The proposed rules would require advisers and funds to adopt and implement written cybersecurity policies and procedures designed to address cybersecurity risks that could harm advisory clients and fund investors. The proposed rules also would require advisers to report significant cybersecurity incidents affecting the adviser or its fund or private fund clients to the Commission on a new confidential form.”
And in June 2022, the United Kingdom’s Treasury announced a “Proposal for mitigating risks from critical third parties to the finance sector.” Because the U.K.’s financial services industry is increasing relying on third parties like cloud-based computing services, the industry is opening itself up to security risks and negative consequences if these third-party companies fail or are disrupted due to cyberattacks or other unforeseen hazards.
The U.K. wants to establish a “regime” of financial regulators to oversee “critical” third-party arrangements with financial services companies and “set minimum resilience standards that critical third parties will be directly required to meet in respect of any material services that they provide to the UK finance sector. It will also allow the financial regulators to require critical third parties to take part in a range of targeted forms of resilience testing, to assess whether these standards were being complied with.”
In the new heightened threat environment reality organizations face today, another reality is an increased urgency to comply with the many new financial services industry regulations coming. It is important that business leaders and CISOs or CIOs keep on top of the developments, even for those organizations out of the EU that are doing business in Europe.
To learn more, tune in to the Cyber Resilience in Financial Services Podcast.