The financial services space across Europe is slowly gearing up for the Digital Operational Resilience Act (DORA), the new regulatory framework that should improve IT resilience and protect firms from software attacks, bugs and faulty software.
In recent months, finserv players have started to step up efforts to prepare themselves for the new regulation, which will come into force in January of next year.
IT resilience and software testing procedures, as well as incident reporting and organisations’ relationship with third party providers, are some of the key provisions in the framework, which have been widely discussed within the industry.
One key requirement of DORA that has attracted less attraction is software composition analysis.
In fact, one of its key characteristics is that it views open source analysis, also known as software composition analysis (SCA), as a basic security requirement that all institutions under its guidance must develop as a capability. SCA is used for monitoring code quality, essential for any QA team.
DORA includes language outlining how to achieve a high level of digital operational resilience and emphasizes open source analysis as a fundamental security requirement, as pointed out by Ilkka Turunen, field CTO at Sonatype, one of the leading vendors of software composition analysis,
In an exclusive interview with QA Financial, Turunen explained that “to reflect differences that exist across, and within, the various financial subsectors as regards financial entities’ level of cybersecurity preparedness, testing should include a wide variety of tools and actions, ranging from the assessment of basic requirements.”
As examples, he singled out vulnerability assessments and scans, open source analyses, network security assessments, gap analyses, physical security reviews, questionnaires and scanning software solutions, source code reviews where feasible, scenario-based tests, compatibility testing, performance testing or end-to-end testing, to more advanced testing by means of TLPT.
“To reflect differences that exist across the various financial subsectors, testing should include a wide variety of tools and actions.”
– Ilkka Turunen
ORA classifies open source analysis as a basic security requirement in Regulation 56,which sets out the principles of what good vulnerability management should look like.
“Consequently, all financial entities governed by DORA must develop capabilities in this area,” he stressed.
“The underlying principle of DORA is to essentially raise the floor of what is considered minimal cybersecurity and thus increase the cyber resilience of the organisations they cover,” Turunen explained.
He did point out “there is a principle of proportionality, meaning the regulators are able to interpret them with some leeway if they so choose based on the maturity and size of the organisation.”
Open source
With regards to financial services firms, Turunen does not see a move away from their dependency on open source.
“In my experience it is quite the opposite, financial firms are increasingly using open source,” he noted.
“They’ve been regulated by some level a long time so this is nothing new to them, and open source is a massive source of innovation there.”
He stressed “what’s new with DORA is the secondary compliance elements – as we’re seeing not just financials directly becoming compliant but also asking their suppliers to via contracts.”
Turunen is convinced “this will certainly cause many firms to have to implement many things they might’ve not thought about before, including the activities in the recital.
DORA
The EU’s new Digital Operational Resilience Act (DORA) will come into force early next year, so the financial services industry across Europe is racing to get ready for the new ICT-focused regulation.
The DORA rules aim to strengthen oversight, operational resilience and the relationship between banks and other financial institutions and the firms that manage, run, test and update their software infrastructure.
The European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), and the European Securities and Markets Authority (ESMA) have been tasked to jointly establish, roll out and enforce the EU’s new ICT framework.
“The finance sector is increasingly dependent on technology and on tech companies to deliver financial services. This makes financial entities vulnerable to cyberattacks or incidents,” EIOPA recently explained.
“When not managed properly, ICT risks can lead to disruptions of financial services. This in turn, can have an impact on other companies, sectors, and even on the rest of the economy, which underlines the importance of the digital operational resilience of the finance sector. This is where the DORA regulation comes into play,” the body stressed.
While the rules entered into force in January of 2023, financial firms have been given two years to comply, which means it will take effect and become mandatory for all finance players on January 17 of next year.
DORA spells out detailed criteria for the classification, management, and reporting of ICT risks. It also includes comprehensive recurring testing of these systems and a set of requirements for managing and monitoring ICT-related risks in the finance sector.
The DORA regulation sets out specific requirements with regards to ICT risk management and governance, incident reporting, third-party risk management as well as operational resilience testing and threat sharing.
With regards to this last element, ICT systems must be tested regularly to evaluate their performance, identify vulnerabilities, and repair them in a timely manner.
In addition, financial institutions must establish agreements to share information and intelligence about threats and vulnerabilities.
UPCOMING QA FINANCIAL EVENTS
READ MORE
- Kobiton launches new capabilities for mobile testing
- ECB names new digital chief as QA climbs the priority ladder
- Maveric eyes IPO amid major US growth plans
- Exclusive: ‘AI productivity means more risk,’ warns Tricentis ML head
- QualityKiosk wins major testing deal with Dubai’s largest bank
Become a QA Financial subscriber – for FREE
News and interviews * Receive our weekly newsletter * Get priority invitations to our Forum events