Compliance
A New Cybersecurity, Resilience Regime Is In Town – The EU's DORA

New European Union legislation took effect this month that is designed to make financial institutions – including wealth managers – raise their cybersecurity and overall financial resilience. Failure to shape up will incur fines. We take a look at what's at stake, and not just for those based in the EU.
If there was a reminder that operational resilience in technology
is important, the
Microsoft/CrowdStrike outage that closed flights and payment
systems worldwide last summer was a stark example.
And with cybersecurity attacks and breaches becoming a regular
occurrence, banks, wealth managers and family offices realise
that they can be hit by ransomware attacks from domestic and
foreign sources. Throw in outages and glitches that are, perhaps,
inevitable features when fallible human beings are involved as
well as malevolent actors, and there's going to be trouble.
In Europe, the regulatory stakes have risen with the Digital
Operational Resilience Act (DORA), taking effect from 17 January.
Failure to comply will result in fines.
DORA is designed to bring about best practice in the financial
industry for dealing with cybersecurity and operational
resilience, and it will impose fines on organisations deemed not
to be compliant. Central banks such as the Bank of England and
Bank of Ireland, among others, have already guided banks and
financial organisations about this.
Under DORA, financial penalties can be up to 2 per cent of a
company's total annual turnover or 1 per cent of their average
daily turnover. Critical third-party ICT providers can be fined
up to €5 million ($5.2 million) for companies or €500,000 for
individuals. DORA takes precedence over any other EU
cybersecurity law for those organisations to which it applies. As
a result, financial organsiations are likely to face tougher
cybersecurity requirements than other sectors in the EU. Even
firms outside the 27-member EU bloc that work with organisations
in the Union fall under the legislation. In a sense, it is
similar in scope and impact to the GDPR data protection rules
that came into force in May 2018.
“In the past 20 years financial institutes of all types have
become nearly completely reliant on technology for the services
they provide. Their greatest risk to life beyond the market
forces is a breach or major outage. Governments across the world
know how critical their financial institutes are to stability and
DORA [EU legislation] is about catching up with that,” Joe Boyle,
CEO at Salt Secure
Communications, told this publication.
While the DORA rules took effect from last Friday, it is unlikely
that non-compliant firms will be immediately fined; regulators
will probably issue reports and warnings first, Boyle said. “DORA
is important for wealth management as well as all financial
institutions because there are real consequences for not being
compliant.”
Boyle’s firm, he said, “sees itself as a modern incarnation of
the secure, controlled and compliant capabilities of the
Blackberry messaging services with additional security
capabilities such as secure broadcast and measures to prevent
sensitive data exfiltration.”
“Crucially we do not come under full control of the Microsoft
Active Directory, which means that it cannot be compromised or
controlled when a bad actor hacks the corporate Microsoft
environment,” he said.
“We [at Salt] are dealing with firms that are preparing for the
worst and we provide a safe-haven network. In many wargaming
scenarios the first thing the executive team are faced with is
‘All of your internal systems are down and you have no way to
communicate. What are you going to do now?’ That’s where Salt
comes in,” Boyle said.
Salt gives firms a “closed room” form of technology
communications channel that is not connected to a firm’s regular
comms so that people can share data even if there has been an
attack and problem, Boyle said. “We speak to people to ask what
to do if there is a major outage.”
Cybersecurity attacks and other problems give such offerings
traction.
According to the Veeam Data Protection Trends Report
2024, 75 per cent of organisations suffered at least one
ransomware attack last year. Focusing just on the UK, a 2024
report from the Department for Science, Innovation & Technology
found that half of businesses and around a third of charities (32
per cent) reported having experienced some form of cybersecurity
breach or attack in the last 12 months. This is much higher for
medium businesses (70 per cent), large businesses (74 per cent)
and high-income charities with £500,000 ($626,670) or more in
annual income (66 per cent).
A report in March 2024 from Broadridge
Financial Solutions showed that over the next two years,
financial institutions plan to boost their investments in
cybersecurity by 28 per cent on average; impacting their internal
security protocols, and the way in which they engage with
third-party technology vendors.
According to the study, cybersecurity is the top capability
executives say they expect from their technology vendors,
outpacing their ability to deliver projects on time and on
budget, and building next-generation technologies into their
solutions. Cybersecurity remains an important concern for the
world’s wealth management industry. In the US, new Securities and
Exchange Commission rules came into force in 2023 forcing listed
companies to report their cyberattacks to core stakeholders, such
as investors, customers, and regulators. By far the most common
type of breach or attack is phishing (84 per cent of businesses
and 83 per cent of charities).
“DORA will impose stricter requirements and also encourage
resiliency in organisations, which will hopefully address the
issues of securing insurance,” Alasdair Anderson, vice president
of EMEA at Protegrity, said in a note.
Protegrity is a data protection business based in the US. (See an
article from that firm here.)
“The positive consequence of this growing regulatory landscape is
a shift toward outcome-based compliance, as current regulations
are seen to focus on ticking boxes. This will ultimately lead to
enhanced data security within sectors, and mitigated risk of
major consequences from continuously scaling cyber attacks,”
Anderson said. “We will also see more regulations coming out that
haven’t yet been predicted.
"Companies should treat these regulations as the minimum
requirement that guides the usage of technology and look to build
on these requirements. Maximising cybersecurity investments isn’t
just about protection – it’s about creating a positive,
trust-driven experience for customers in the long term. Security
should go beyond compliance, ensuring that every interaction
leaves customers feeling safe and confident.”
Cybersecurity remains a top wealth sector concern, as highlighted
in the
Twelfth Edition of the WealthBriefing Tech and Ops Trends in
Wealth Management 2024 report.
Blackberry model
Salt’s Boyle has fond memories of the Blackberry devices that
were once a ubiquitous tool for people in IT, finance and
business before the advent of iPhones and other smartphone
brands.
The Blackberry had solid end-to-end proprietary security that a
firm issuing one of these devices could embed, with varying
levels of access between junior and more senior staff, Boyle
said. He noted how regulators such as the Securities and Exchange
Commission in the US have
fined banks/others for what it sees as inappropriate use of
messaging apps such as WhatsApp, etc.
“Blackbrerry had what was a completely closed network;
organisations loved them,” Boyle said, who recalled how he still
used his Blackberry Bold in 2012.
With DORA, even businesses located outside the EU (such as a firm
working with an EU-domiciled bank) is affected by its provisions.
For example, organisations based in the Middle East are “taking
DORA very seriously as they are very keen on tracking best
practice across the globe to maintain and grow their highly
competitive position,” Boyle said.
“The best way to think about it is in terms of risks and
potential impacts to the business within the supply chain. If you
have a supplier who is critical to the delivery of your
services and has access to key information or services then they
too are required to demonstrate compliance regardless of where
they are in the world,” Boyle said.
Along with DORA, there is the NIS2 Directive, EU-wide legislation
on cybersecurity. It provides legal measures for
boosting the overall level of cybersecurity in the EU. The
EU cybersecurity rules introduced in 2016 were updated by the
NIS2 Directive which came into force in 2023. It updates older
rules and expands the scope.
The Microsoft/Crowdstrike outage of 2024 was a necessary
wake-up call, Boyle said.
“These developments have been crucial in driving awareness within
the executive suites of major organisations about the potential
impact of breaches and major unplanned outages,” Boyle said.
“Risk teams are being allocated significantly more budget and
there has been a fundamental mind shift in more aware
organisations to prepare for a crisis 'when it
happens' instead of 'in case it happens’. It’s daunting
but liberating as they are very focused on preparedness.”
Salt clients include law firm Mishcon de Reya; BAE Systems,
a defence sector manufacturer; and Nihon Cyber, a
Japan-based cybersecurity firm. Salt, which is headquartered in
Belfast, operates in 52 countries, covering sectors
from finance to defence, military and policing.
“Our high security clients have a very good understanding of
advanced nation state threats and have a very clear understanding
of what they need when it comes to communications: a system which
they run and control, which once deployed is not accessible even
by Salt. That’s their 'warm and fuzzy' reassurance,” Boyle said.