Complying with the EU’s Digital Operational Resilience Act (DORA) will affect any financial institution offering their services to clients in the EU.
When it comes to operational and cyber resilience, there are a lot of regulatory requirements, which are NOT optional, and plenty of best practice guidelines. While wrestling with the requirements for compliance, finding the resources and budget to complete resilience projects, many IT Directors and CISOs are looking at how they can generate additional benefits for the business off the back of such projects. Use of productivity tools that boost cyber resilience, can also increase compliance with data protection laws such as GDPR, and tackle the growing spectre of shadow IT. There are many aspects to making an organisation more resilient to cyber attacks and other incidents that may disrupt the business, and a secure communications channel is one way to support resilience while delivering additional business benefits to the rest of the organisation.
Financial services firms and ICT technology providers have less than 18 months to comply with the new legislation which comes into effect on 17 January 2025. DORA comes hot on the heels of the UK’s own Operational Resilience regulations developed by the Financial Conduct Authority (FCA), the Bank of England and the Prudential Regulation Authority (PRA). The PRA announced that the deadline for starting the implementation of the Operational Resilience Framework for UK financial institutions was 31 March 2022 and the deadline for implementing all aspects of operational resilience is 31 March 2025.
With multiple deadlines looming so close together, many financial firms are tackling both sets of legislation concurrently. As both adhere to the five pillars of operational resilience there is a lot of common ground.
Five pillars of Operational Resilience
- ICT risk management and governance
- ICT-related incident reporting
- Digital operational resilience testing
- Intelligence sharing
- ICT third-party risk
Secure communications are key to enhancing Cyber & Operational Resilience
There are several ways in which secure communications are essential for compliance with best practice advice, regulations and legislation. These are applicable whether firms are working towards compliance with UK or EU regulations and are good business practice for any organisation looking to increase business resilience. An organisation’s ability to respond to a breach is severely diminished if its communications are compromised as part of a larger attack.
Indeed in the NIST Computer Security Incident Handling Guide (SP800-61) https://csrc.nist.gov/pubs/sp/800/61/r2/final , in Section 3.1.1 Preparing to Handle Incidents it states that “…smartphones are one way to have resilient emergency communication and coordination mechanisms. An organization should have multiple (separate and different) communication and coordination mechanisms in case of failure of one mechanism.”
Incident Response Plans – What are your safe communications channels?
Well run organisations will have an incident management process that is well documented in advance, with technology and infrastructure in place, so that they are prepared for a crisis. When an organisation succumbs to a cyber-attack or catastrophic IT failure, the first thing to do, even before assessing the situation fully and putting together a plan for recovery and future mitigation, is to understand exactly how you are going to communicate.
One cannot only consider the IT department discussing the technicalities, and business continuity managers communicating with the C suite and the board to keep them abreast of events. There is a wide variety of people involved in handling the situation that will need secure, reliable comms. They will include those with internal roles such as project managers, risk and incident managers, as well as employees with external roles such as customer relationship managers, public relations, and legal counsel/lawyers. The last thing you should do is use the very platform that has just been compromised, i.e, your corporate network, if indeed that is still functional.
DORA and NIST suggest that groups with key contacts/structure, such as suppliers, law enforcement, internal groups and stakeholders, SOC, etc. are pre-defined and set up before the incident occurs, so that communications can begin immediately on the secure channel. With the Armour Comms platform, organisations are able to create the groups and integrate them into business continuity processes.
Robust ICT Risk Management Practices – Keep tight control of your data
There are many situations where sensitive corporate information can be put at risk by the use of non-approved communications apps which cannot separate business from personal data. For example, details of what were thought to be private messages can be leaked to malevolent third parties (see our previous blog for some grizzly details: https://www.armourcomms.com/2023/03/20/the-hancock-saga-exactly-how-not-to-manage-sensitive-information/). Calls and other communications involving classified or sensitive data CAN be made safely on ordinary mobiles when appropriately secure software is used.
Armour Mobile is able to provide secure archive and audit capabilities which record conversations and messages and so allow full review (and policing) of employee communications. The archived details are securely preserved, even if the original messages are deleted from the user’s phone.
Enhanced Information Security Measures
In the event of a major cyber attack, by protecting the communications of the IT and digital forensics team, as well as other key senior members of staff, you are blocking a very useful source of information from being intercepted or modified by the hackers (who commonly infiltrate and monitor a company’s normal communications to see if they have been detected, and to pre-empt any countermeasures). In addition, by using a secure communications platform, such as Armour Mobile, and having the secure comms hosted by a third party, you are further isolating the senior management and IT team’s comms from the potentially compromised systems that they are trying to recover.
Out of band comms is essential not optional.
It’s not just DORA compliance
Quite apart from Governance, Risk & Compliance (GRC) requirements for which a secure communications platform is essential for compliance, every enterprise has some intellectual property to protect; every HR department discusses the relative merits of job candidates; managers and supervisors discuss the performance of people in their team; sales people discuss sensitive details of negotiations to close a large deal. All of this information could cause financial loss, be deeply embarrassing if leaked, lead to loss of reputation, breach GDPR and attract huge fines, or at worst, could jeopardise the entire business.
A secure communications platform will provide a safe channel for communications during a serious cyber security event, it provides an audit trail to prove compliance and it can also be used to protect all manner of business information.
To find out exactly what you should be looking for, the questions you should ask, and the NCSC’s 7 principles of Secure Communication, read our Buyer’s Guide.