DORA is breaking the bank for many UK finance firms

London-based James Hughes, VP of solutions engineering and enterprise chief technology officer at Rubrik
London-based James Hughes, VP of solutions engineering and enterprise chief technology officer at Rubrik

Banks and firms in the UK financial services sector are experiencing a “serious financial strain” as they work to meet the requirements of stringent software and ICT regulations, most recently the introduction of the European Digital Operational Resilience Act (DORA), which came into force on January 17.

In fact, nearly half of all Britain-based financial institutions spent more than €1 million in the last two years to prepare for or implement these regulations.

Moreover, over a quarter allocated more than €500,000, according to James Hughes, VP of solutions engineering and enterprise chief technology officer at Rubrik, a US-based could data management and data security company based in Palo Alto, California.

While these regulations aim to increase operational resilience and safeguard sensitive data from evolving software security threats, the costs of compliance are significant, Hughes shared.

Despite the increased investment, ransomware remains the most prominent threat, with close to half of financial organisations citing it as their top concern, he continued, as he discussed a recent survey carried out by his firm.

Other threats include third-party compromises (and vulnerabilities in software supply chains, the London-based insider said.

The increasing threat landscape, especially third-party risks, makes regulatory compliance necessary, albeit costly.

“Understanding what data is the most critical, where that data lives, and who has access to it is essential for identifying, assessing, and mitigating ICT risks,” Hughes said.

“If good hygiene practices like these are not followed, organizations could face hefty fines from [UK financial services regulator] the Financial Conduct Authority,” he stressed.

The City of London with Canary Wharf in the background, Britain’s main financial hubs

DORA

As DORA took effect last week, on January 17, financial institutions now need to adopt a universal framework that focuses on Information and Communication Technology (ICT) risk management.

This framework aims to bolster digital resilience in the financial sector, which handles some of the most sensitive data globally, Hughes noted.

However, there is a growing concern that digital resilience is not being adequately prioritised at the board level.

Many UK CISOs feel their IT budgets do not fully align with the board’s objectives to meet regulatory requirements. Hughes stressed.

He added that “while regulators are increasingly stringent, many CISOs feel their budgets don’t reflect the board’s commitment to compliance, which could jeopardize both security posture and the ability to meet evolving regulatory demands.”


“There is a critical gap between board-level understanding and reality.”

– James Hughes

DORA includes key provisions such as contractual safeguards and contingency plans to mitigate third-party risks.

Regular testing of digital resilience and attack simulations will be mandatory, reinforcing the sector’s commitment to operational resilience and reassuring CISOs about their preparedness for cyber threats.

Interestingly, Hughes pointed out that UK CISOs appear more confident about cloud security than their European counterparts, with nearly three-quarters expressing confidence that customer, partner, and employee data is secure in cloud environments.

As the regulatory landscape continues to evolve, Hughes emphasised the need for greater collaboration between CISOs, boards, and other stakeholders.

“CISOs, boards, and other stakeholders must work together to ensure cyber resilience priorities are clearly defined, adequately funded, and effectively implemented to meet regulatory requirements and safeguard the future of the industry,” he said.

As financial services firms continue to navigate the challenges of meeting regulatory compliance, the balance between digital investments and digital resilience will remain a critical issue for the financial sector this year, Hughes concluded.


REGULATION & COMPLIANCE

Looking for more news on regulations and compliance requirements driving developments in software quality engineering at financial firms? Visit our dedicated Regulation & Compliance page here.


NEXT MONTH


DO NOT MISS


QA FINANCIAL FORUM LONDON 2024: RECAP

In September, QA Financial held the London conference of the QA Financial Forum, a global series of conference and networking meetings for software risk managers.

The agenda was designed to meet the needs of software testers working for banks and other financial firms working in regulated, complex markets.

Please check our special post-conference flipbook by clicking here.


READ MORE


Why not become a QA Financial subscriber? It’s entirely FREE

* Receive our weekly newsletter * Priority invitations to our Forum events *

REGISTER HERE TODAY