{"id":14669,"date":"2023-01-10T08:58:00","date_gmt":"2023-01-10T06:58:00","guid":{"rendered":"https:\/\/www.thegreenbow.com\/?post_type=resource&p=14669"},"modified":"2023-06-08T12:15:22","modified_gmt":"2023-06-08T10:15:22","slug":"dora-when-the-financial-sector-becomes-obsessed-with-data-security","status":"publish","type":"resource","link":"https:\/\/www.thegreenbow.com\/en\/ressource\/blog-en\/dora-when-the-financial-sector-becomes-obsessed-with-data-security\/","title":{"rendered":"DORA: when the financial sector becomes obsessed with data security"},"content":{"rendered":"\n
\n

By Arnaud Dufournet<\/strong>, Chief Marketing Officer<\/p>\n\n\n\n

In our first blog post of 2022<\/a> we anticipated that it would be a busy year for the people who draft cybersecurity regulations in Europe. Events proved us to be right. Everything suddenly gathered pace in the last two months of 2022 with the adoption of the new NIS Directive and the DORA Regulation by the European Parliament and then the European Union Council in late November. The new directive and regulation were published in the Official Journal of the European Union on December 27, providing greater visibility over the timetable for their entry into effect.<\/p>\n\n\n\n

As you may know, the Digital Operational Resilience Act<\/strong><\/a> (DORA) is an EU regulation that is intended to serve as the financial sector\u2019s version of the NIS Directive. The world of finance is certainly no stranger to regulations, but this latest edict proves to be particularly demanding as regards the contractual relationship with IT service providers.<\/p>\n\n\n\n

The origins of DORA: operational risk<\/strong><\/strong><\/strong><\/strong><\/h2>\n\n\n\n

The 2008 financial crisis shone a spotlight on the connections and mutual dependencies between banks and insurance companies. The Basel II and then Basel III agreements emerged so as to offer protection against operational risk. In 2010, Basel III tightened prudential standards to limit credit risk, but didn\u2019t stop there.<\/p>\n\n\n\n

\"\"<\/figure>
\n

It also introduced the idea that operational risk should be included when evaluating minimum equity requirements. According to the Basel Committee, operational risk is the \u201crisk of loss resulting from inadequate or failed internal processes, people and systems or from external events.\u201d<\/p>\n<\/div><\/div>\n\n\n\n

<\/p>\n\n\n\n

This very broad definition thus encompasses information system failures, and information systems are taking on an increasingly important role with process digitalization and the use of new technologies (AI, RPA, cloud services, and so on). The 2008 crisis showed that information system failures must definitely be included within operational and systemic risks.<\/p>\n\n\n\n

In recent years, the rising threat from cyber attacks has only increased this risk of IT failure. This means failure is no longer caused by technical issues or human error alone; it can also result from malicious intent in the form of cyber attacks, whether criminal in origin or instigated by unfriendly governments seeking economic intelligence.<\/p>\n\n\n\n

As cyber threats grow, so does operational risk<\/strong><\/strong><\/h2>\n\n\n\n
\"\"<\/figure>
\n

Cyber risk is now identified and monitored by the European Central Bank and other major central banks as well and truly included within the set of systemic risks. We have moreover addressed this issue in a previous blog post<\/a> [French only] on the banking sector.<\/p>\n<\/div><\/div>\n\n\n\n

<\/p>\n\n\n\n

Banking transactions carried over networks and the large amounts of personal data handled are cybercriminals\u2019 main interest. IBM\u2019s X-Force Threat Intelligence Index 2022 reveals once again that the financial sector is undeniably one of the key targets for attacks, just behind manufacturing.<\/p>\n\n\n\n

<\/p>\n\n\n\n

\n

IBM\u2019s findings are that 22% of attacks and incidents reported in 2021 were aimed at the financial sector, primarily banks (70% of these attacks, as against 16% on insurance companies).<\/p>\n<\/div>

\"\"<\/figure><\/div>\n\n\n\n

The stakes could now scarcely be higher: the possible collapse of the banking system and therefore of our economies. The European Union has grasped the seriousness of the implications, and decided to tackle the issue head-on by developing the concept of digital operational risk.<\/p>\n\n\n\n

So after NIS, here’s DORA<\/strong><\/h2>\n\n\n\n

In the wake of the NIS Directive, the first version of which was ratified in 2016, the European Commission first started thinking about specific regulation for the financial sector in 2020, with a view to toughening up digital operational resilience. Unlike a directive, which requires transposition into domestic law, a regulation applies as-is in all EU member states.<\/p>\n\n\n\n

This regulation has two notable features. The first is its obsession with data security. Availability, authenticity, integrity, and confidentiality are the four criteria that recur time and again throughout the regulation, starting in the definitions of \u201cICT-related incident\u201d and \u201coperational incident<\/em>\u201d in Article 3, appearing again in Article 5 on governance and organization, then Article 9 on protection and prevention, and so on.<\/p>\n\n\n\n

The second is that this sector-specific regulation concerns not only insurers and credit institutions but also their IT service providers (with the exception of microenterprises). Article 28 of the regulation reiterates the general principle that \u201cfinancial entities that have in place contractual arrangements for the use of ICT services to run their business operations shall, at all times, remain fully responsible for compliance with, and the discharge of, all obligations under this Regulation and applicable financial services law<\/em>.\u201d It is therefore impossible to pass the buck onto any external provider.<\/p>\n\n\n\n

Paragraph 5 of this same article then says that \u201cWhen those contractual arrangements concern critical or important functions, financial entities shall, prior to concluding the arrangements, take due consideration of the use, by ICT third-party service providers, of the most up-to-date and highest quality information security standards<\/em>.\u201d In other words, critical IT service providers are an integral part of risk assessment, and financial institutions must ensure their providers are beyond reproach, security-wise.<\/p>\n\n\n\n

The European Union\u2019s thinking starts from the premise, established since attacks such as SolarWinds, that a cyber incident can easily spread to every player in an industry. The aim therefore is to protect the entire supply chain from the risk of attack<\/strong>.<\/p>\n\n\n\n

DORA set to boost encryption use<\/strong><\/h2>\n\n\n\n

Article 9 of the regulation, on \u201cProtection and prevention,\u201d requires an information security policy to be produced. Paragraph 2 of this article states the measures to be taken to protect data: \u201cFinancial entities shall design, procure and implement ICT security policies, procedures, protocols and tools that aim to ensure the resilience, continuity and availability of ICT systems, in particular for those supporting critical or important functions, and to maintain high standards of availability, authenticity, integrity and confidentiality of data, whether at rest, in use or in transit.\u201d<\/p>\n\n\n\n

\"\"<\/figure>
\n

The regulation does not say so, but data encryption meets the authenticity, integrity, and confidentiality obligation here.<\/p>\n\n\n\n

This article also recognizes the three intrinsic advantages of a VPN solution that specifically protects these data \u201cin use\u201d, meaning when a user wants to access an information system (IS) to consult them.<\/p>\n<\/div><\/div>\n\n\n\n

<\/p>\n\n\n\n

Article 30 requires that these same measures to protect data are taken by \u201cICT third-party service providers.\u201d Such provisions are to be explicitly included in contracts between parties to ensure \u201cavailability, authenticity, integrity and confidentiality in relation to the protection of data, including personal data.\u201d<\/p>\n\n\n\n

Protecting communications with a trusted VPN<\/strong><\/strong><\/h2>\n\n\n\n

As it is in cybersecurity, trust is a cornerstone of the financial system. This might make DORA\u2019s obsession with availability, authenticity, integrity, and confidentiality easier to understand. Given the connections between networks, an internal or external incident that undermines any one of these four principles could compromise the financial system.<\/p>\n\n\n\n

The security visas issued by the French National Cybersecurity Agency (ANSSI) held by TheGreenBow\u2019s VPN clients attest to the high level of security they offer. There are many uses for VPNs in banking, such as protecting remote communications for staff working from home, keeping banking administration traffic secure with an IPsec VPN tunnel<\/strong><\/a>, controlling the IS access granted to external contractors using specific configurations in the VPN client, and more besides.<\/p>\n\n\n\n

And to face up to the quantum threat, TheGreenBow is already working with major central banks on plans to roll out VPN clients incorporating encryption algorithms that are resistant to quantum attacks. Due to apply from January 17, 2025, stakeholders in the financial sector and their IT service providers have two years left to comply with the DORA Regulation. And given the demands it makes, even two years cannot be viewed as excessive.<\/p>\n\n\n\n

<\/p>\n\n\n\n

\n
\n
\n
\n
\n \n \n\n
\n \"DORA:\n <\/figure>\n \n

PLANNING A PROJECT? LET’S TALK<\/h4>\n \n \n <\/a>\n \n <\/div>\n <\/div>\n\n \n\t\t<\/div>\n <\/div>\n <\/section>\n<\/div>\n","protected":false},"featured_media":14687,"template":"","meta":{"_acf_changed":false,"resource_type":"internal"},"resource_category":[30,342],"class_list":["post-14669","resource","type-resource","status-publish","has-post-thumbnail","hentry","resource_category-blog","resource_category-blog-en"],"acf":[],"yoast_head":"\nDORA: when the financial sector becomes obsessed with data security - TheGreenBow<\/title>\n<meta name=\"description\" content=\"The Digital Operational Resilience Act (DORA) has just been issued making data protection a must for the financial sector.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.thegreenbow.com\/en\/ressource\/blog-en\/dora-when-the-financial-sector-becomes-obsessed-with-data-security\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"DORA: when the financial sector becomes obsessed with data security - TheGreenBow\" \/>\n<meta property=\"og:description\" content=\"The Digital Operational Resilience Act (DORA) has just been issued making data protection a must for the financial sector.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.thegreenbow.com\/en\/ressource\/blog-en\/dora-when-the-financial-sector-becomes-obsessed-with-data-security\/\" \/>\n<meta property=\"og:site_name\" content=\"TheGreenBow\" \/>\n<meta property=\"article:modified_time\" content=\"2023-06-08T10:15:22+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.thegreenbow.com\/wp-content\/uploads\/2023\/01\/Finance_lite.jpeg\" \/>\n\t<meta property=\"og:image:width\" content=\"1773\" \/>\n\t<meta property=\"og:image:height\" content=\"1182\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:site\" content=\"@thegreenbow\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"8 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.thegreenbow.com\\\/en\\\/ressource\\\/blog-en\\\/dora-when-the-financial-sector-becomes-obsessed-with-data-security\\\/\",\"url\":\"https:\\\/\\\/www.thegreenbow.com\\\/en\\\/ressource\\\/blog-en\\\/dora-when-the-financial-sector-becomes-obsessed-with-data-security\\\/\",\"name\":\"DORA: when the financial sector becomes obsessed with data security - TheGreenBow\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.thegreenbow.com\\\/en\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.thegreenbow.com\\\/en\\\/ressource\\\/blog-en\\\/dora-when-the-financial-sector-becomes-obsessed-with-data-security\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.thegreenbow.com\\\/en\\\/ressource\\\/blog-en\\\/dora-when-the-financial-sector-becomes-obsessed-with-data-security\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.thegreenbow.com\\\/wp-content\\\/uploads\\\/2023\\\/01\\\/Finance_lite.jpeg\",\"datePublished\":\"2023-01-10T06:58:00+00:00\",\"dateModified\":\"2023-06-08T10:15:22+00:00\",\"description\":\"The Digital Operational Resilience Act (DORA) has just been issued making data protection a must for the financial sector.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.thegreenbow.com\\\/en\\\/ressource\\\/blog-en\\\/dora-when-the-financial-sector-becomes-obsessed-with-data-security\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.thegreenbow.com\\\/en\\\/ressource\\\/blog-en\\\/dora-when-the-financial-sector-becomes-obsessed-with-data-security\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.thegreenbow.com\\\/en\\\/ressource\\\/blog-en\\\/dora-when-the-financial-sector-becomes-obsessed-with-data-security\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.thegreenbow.com\\\/wp-content\\\/uploads\\\/2023\\\/01\\\/Finance_lite.jpeg\",\"contentUrl\":\"https:\\\/\\\/www.thegreenbow.com\\\/wp-content\\\/uploads\\\/2023\\\/01\\\/Finance_lite.jpeg\",\"width\":1773,\"height\":1182},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.thegreenbow.com\\\/en\\\/ressource\\\/blog-en\\\/dora-when-the-financial-sector-becomes-obsessed-with-data-security\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.thegreenbow.com\\\/en\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Blog\",\"item\":\"https:\\\/\\\/www.thegreenbow.com\\\/en\\\/resources\\\/blog-en\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"DORA: when the financial sector becomes obsessed with data security\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.thegreenbow.com\\\/en\\\/#website\",\"url\":\"https:\\\/\\\/www.thegreenbow.com\\\/en\\\/\",\"name\":\"TheGreenBow\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.thegreenbow.com\\\/en\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.thegreenbow.com\\\/en\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.thegreenbow.com\\\/en\\\/#organization\",\"name\":\"TheGreenBow\",\"url\":\"https:\\\/\\\/www.thegreenbow.com\\\/en\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.thegreenbow.com\\\/en\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.thegreenbow.com\\\/wp-content\\\/uploads\\\/2021\\\/04\\\/Logotype@2x-min.png\",\"contentUrl\":\"https:\\\/\\\/www.thegreenbow.com\\\/wp-content\\\/uploads\\\/2021\\\/04\\\/Logotype@2x-min.png\",\"width\":422,\"height\":84,\"caption\":\"TheGreenBow\"},\"image\":{\"@id\":\"https:\\\/\\\/www.thegreenbow.com\\\/en\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/thegreenbow\",\"https:\\\/\\\/fr.linkedin.com\\\/company\\\/thegreenbow\",\"https:\\\/\\\/www.youtube.com\\\/channel\\\/UCZKtI7_fmgFcmovgGSy8AnQ\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"DORA: when the financial sector becomes obsessed with data security - TheGreenBow","description":"The Digital Operational Resilience Act (DORA) has just been issued making data protection a must for the financial sector.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.thegreenbow.com\/en\/ressource\/blog-en\/dora-when-the-financial-sector-becomes-obsessed-with-data-security\/","og_locale":"en_US","og_type":"article","og_title":"DORA: when the financial sector becomes obsessed with data security - TheGreenBow","og_description":"The Digital Operational Resilience Act (DORA) has just been issued making data protection a must for the financial sector.","og_url":"https:\/\/www.thegreenbow.com\/en\/ressource\/blog-en\/dora-when-the-financial-sector-becomes-obsessed-with-data-security\/","og_site_name":"TheGreenBow","article_modified_time":"2023-06-08T10:15:22+00:00","og_image":[{"width":1773,"height":1182,"url":"https:\/\/www.thegreenbow.com\/wp-content\/uploads\/2023\/01\/Finance_lite.jpeg","type":"image\/jpeg"}],"twitter_card":"summary_large_image","twitter_site":"@thegreenbow","twitter_misc":{"Est. reading time":"8 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.thegreenbow.com\/en\/ressource\/blog-en\/dora-when-the-financial-sector-becomes-obsessed-with-data-security\/","url":"https:\/\/www.thegreenbow.com\/en\/ressource\/blog-en\/dora-when-the-financial-sector-becomes-obsessed-with-data-security\/","name":"DORA: when the financial sector becomes obsessed with data security - TheGreenBow","isPartOf":{"@id":"https:\/\/www.thegreenbow.com\/en\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.thegreenbow.com\/en\/ressource\/blog-en\/dora-when-the-financial-sector-becomes-obsessed-with-data-security\/#primaryimage"},"image":{"@id":"https:\/\/www.thegreenbow.com\/en\/ressource\/blog-en\/dora-when-the-financial-sector-becomes-obsessed-with-data-security\/#primaryimage"},"thumbnailUrl":"https:\/\/www.thegreenbow.com\/wp-content\/uploads\/2023\/01\/Finance_lite.jpeg","datePublished":"2023-01-10T06:58:00+00:00","dateModified":"2023-06-08T10:15:22+00:00","description":"The Digital Operational Resilience Act (DORA) has just been issued making data protection a must for the financial sector.","breadcrumb":{"@id":"https:\/\/www.thegreenbow.com\/en\/ressource\/blog-en\/dora-when-the-financial-sector-becomes-obsessed-with-data-security\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.thegreenbow.com\/en\/ressource\/blog-en\/dora-when-the-financial-sector-becomes-obsessed-with-data-security\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.thegreenbow.com\/en\/ressource\/blog-en\/dora-when-the-financial-sector-becomes-obsessed-with-data-security\/#primaryimage","url":"https:\/\/www.thegreenbow.com\/wp-content\/uploads\/2023\/01\/Finance_lite.jpeg","contentUrl":"https:\/\/www.thegreenbow.com\/wp-content\/uploads\/2023\/01\/Finance_lite.jpeg","width":1773,"height":1182},{"@type":"BreadcrumbList","@id":"https:\/\/www.thegreenbow.com\/en\/ressource\/blog-en\/dora-when-the-financial-sector-becomes-obsessed-with-data-security\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.thegreenbow.com\/en\/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https:\/\/www.thegreenbow.com\/en\/resources\/blog-en\/"},{"@type":"ListItem","position":3,"name":"DORA: when the financial sector becomes obsessed with data security"}]},{"@type":"WebSite","@id":"https:\/\/www.thegreenbow.com\/en\/#website","url":"https:\/\/www.thegreenbow.com\/en\/","name":"TheGreenBow","description":"","publisher":{"@id":"https:\/\/www.thegreenbow.com\/en\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.thegreenbow.com\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.thegreenbow.com\/en\/#organization","name":"TheGreenBow","url":"https:\/\/www.thegreenbow.com\/en\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.thegreenbow.com\/en\/#\/schema\/logo\/image\/","url":"https:\/\/www.thegreenbow.com\/wp-content\/uploads\/2021\/04\/Logotype@2x-min.png","contentUrl":"https:\/\/www.thegreenbow.com\/wp-content\/uploads\/2021\/04\/Logotype@2x-min.png","width":422,"height":84,"caption":"TheGreenBow"},"image":{"@id":"https:\/\/www.thegreenbow.com\/en\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/thegreenbow","https:\/\/fr.linkedin.com\/company\/thegreenbow","https:\/\/www.youtube.com\/channel\/UCZKtI7_fmgFcmovgGSy8AnQ"]}]}},"_links":{"self":[{"href":"https:\/\/www.thegreenbow.com\/en\/wp-json\/wp\/v2\/resource\/14669","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.thegreenbow.com\/en\/wp-json\/wp\/v2\/resource"}],"about":[{"href":"https:\/\/www.thegreenbow.com\/en\/wp-json\/wp\/v2\/types\/resource"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.thegreenbow.com\/en\/wp-json\/wp\/v2\/media\/14687"}],"wp:attachment":[{"href":"https:\/\/www.thegreenbow.com\/en\/wp-json\/wp\/v2\/media?parent=14669"}],"wp:term":[{"taxonomy":"resource_category","embeddable":true,"href":"https:\/\/www.thegreenbow.com\/en\/wp-json\/wp\/v2\/resource_category?post=14669"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}