The much-talked about EU’s Digital Operational Resilience Act (DORA) came into force nearly a month ago, which means financial institutions now need to adopt a universal framework that focuses on information and communication technology risk management, with regular testing and internal data checks taking centre stage.
In a nutshell, the regulatory framework aims to bolster digital resilience in the financial sector, which handles some of the most sensitive data globally.
However, there is a growing concern that digital resilience is not being adequately prioritised at the board level, with many financial services firms simply missing a critical vulnerability in their compliance and QA strategy: their cloud-based sales and customer data, and adequate testing in and for this environment.
While companies have focused on traditional cybersecurity measures, DORA requires something more fundamental, proving they can fully recover from any data incident, including human error and technical glitches, explains Sovan Bin, the chief executive officer of Odaseva, a San Francisco-based software and test data company.
In an exclusive interview with QA Financial, the Frenchman argues that these challenges matter because internal issues, not cyberattacks, cause close to three out of four of all critical data losses and financial services companies must now test and document their ability to recover from incidents.
Moreover, DORA affects any financial institution doing business in the EU and traditional backup approaches may not meet the new requirements while penalties could be severe for non-compliance, Bin said, who spent six years at Salesforce leading the architect team in Paris back in 2006-2012 where he was the very first CTA (Certified Technical Architect) in the EMEA region.
QA Financial: As DORA has taken effect, you warn that many banks and financial services firms are missing a critical vulnerability in their compliance strategy: their cloud-based sales and customer data. Can you elaborate?
When it comes to SaaS data, there’s a not-uncommon misconception about who is responsible for what. Many financial services firms believe that the SaaS platform is responsible for protecting their data and ensuring it complies with regulations like DORA. But they are mistaken, and it could cost them.
That’s because many SaaS platforms operate under the Shared Responsibility Model, which means that customers must ensure their data complies with DORA. So while banks and financial services companies may have spent the last few years ensuring that their data complies with DORA, many didn’t realise that they must also ensure their SaaS data complies too.
If companies assumed the SaaS platform would ensure their company’s data complied with DORA, then that’s a vulnerability in their compliance strategy, because DORA says ‘solutions and processes shall ensure that data is protected from risks arising from data management, including poor administration, processing related risks and human error’.
QA Financial: DORA requires firms to demonstrate they can fully recover from any data incident, including human error and technical glitches. How can firms test for this?
Yes, DORA mandates regular auditing to identify potential bottlenecks that could disrupt the restoration process and correct them, both during routine restore tests and actual disaster recovery incidents.
Firms can test their ability to recover from potential incidents through restore-readiness audits. Such audits enable companies to assess whether problems or changes in their SaaS environment impact their ability to restore data. The audits will also provide actionable recommendations to resolve any potential barriers.
QA Financial: As said, companies must now test and document their ability to recover from incidents, can we expect a doubling of their QA teams, increased investment? What do you foresee?
We absolutely expect to see increased investment in third-party vendors who specialize in such capabilities, in fact we already have.
Instead of relying on internal QA teams, companies that must comply with DORA are outsourcing data protection to partners whose experts specialize in SaaS data backup, restore, audits, and optimizing Recovery Time Objective and Recovery Point Objective (RPO and RTO).
“Traditional backups are stored with the source system. This is not DORA compliant.”
– Sovan Bin
Also, as part of this increased investment in third-parties, companies are also scrutinizing such vendors much more closely because DORA compliance means companies now require partners that demonstrate their capabilities – they cannot just ‘check the box’ and hire a vendor that promises they’re capable. After all, DORA says ‘financial entities shall provide to the competent authorities copies of the results of the ICT business continuity tests’.
QA Financial: You told me earlier that traditional backup approaches may not meet the new requirements, what makes you say that?
Traditional backups are stored with the source system. This is a vulnerability, and not DORA compliant. For example, relying on Salesforce or a Salesforce-owned entity for backup creates a significant vulnerability: if the source system is compromised, the backups are often vulnerable to the same risks. In the case of cyberattacks like ransomware, attackers frequently target both the source system and the backup, exacerbating the damage. This is not DORA-compliant. And future regulations will likely echo DORA’s requirement here.
Also, traditional backups have often referred to just backing up data. But what about files, metadata, etc? If your backups don’t include all the data you need, you may not be able to fully restore data. And that leads to business continuity and non-compliance risks. After all, DORA says ‘ICT concentration risk’ means an exposure to […] third-party service providers creating a degree of dependency on such providers’.
QA Financial: Anything else you would like to share with our readers?
Yes, it’s important to mention that it’s just as critical to secure backups as it is to secure production data. DORA emphasises this. Regulated entities are required to ensure data confidentiality at all stage, whether at-rest, in-use, or in-transit particularly for systems like Salesforce that support business-critical functions.
TODAY IN LONDON
Why not become a QA Financial subscriber?
It’s entirely FREE
* Receive our weekly newsletter every Wednesday * Get priority invitations to our Forum events *
COMING UP IN MARCH
QA Financial is delighted to announce that Tal Barmeir will join us as a speaker at the QA Financial Forum Toronto 2025 Places are limited – register today.
DO NOT MISS
READ MORE
- Antithesis swells finserv footprint as autonomous testing gains traction
- Deep Dive: will AI replace QA teams, or simply make them more valuable?
- BrowserStack snaps up Requestly to expand open-source testing
- Eximius leads pre-seed round in rising QA star DevAssure
- AI testing takes centre stage in Bank of England’s data transformation
