days until DORA is in effect on January 17, 2025. Download your cheat sheet here.
Pressure to align with the Digital Operational Resilience Act’s (DORA) new rules for organizations doing business with companies in the European Union is continuing to build ahead of the upcoming January 17, 2025 enforcement deadline. Hinged on key factors of cyberattacks, the DORA provisions around each of its six components seek to address risk factors to improve operational resiliency. Today’s blog focuses on ICT Risk Management, including what’s required and what firms should be doing now to ensure their risk management framework in place before the enforcement deadline arrives.
DORA Requires Rigorous Planning and Documentation Around ICT Risk Management
While most financial firms already maintain guidelines to govern their cybersecurity resilience, DORA will require firms to document specifically how the frameworks address ICT risks quickly, efficiently and comprehensively to ensure a high level of digital operational resilience. For these frameworks, firms must be specific about the rules they employ to protect the availability, authenticity, integrity and confidentiality of assets and data in an Information Security Policy.
These requirements are laid out in Chapter II of the DORA text, the regulation’s most substantial chapter, which stipulates that firms have a requirement to protect both their “information assets” and “ICT assets” from risks, including damage and unauthorized access or usage. The framework must cover software, physical assets (hardware, software and servers) and physical infrastructure (premises, data centers and areas that have been designated as sensitive) with strategies, policies, procedures, ICT protocols and tools.
Furthermore, DORA requires that the ICT risk management framework be updated at least once a year; but other conditions can trigger additional and more frequent updates – such as in response to an ICT-related incident and updates triggered by an audit by regulators. Throughout, firms must ensure their ICT Risk management framework includes provisions for patches and updates; access restriction policies based on functions, roles and missions; and ICT change management policies. Having an effective resilience plan like this in place during this month’s CrowdStrike outage could potentially have helped organizations minimize the impact by raising awareness about the glitch, underscoring the importance of meeting the requirements.
Satisfying all these requirements is easier said than done, especially since DORA doesn’t specify a particular framework to follow, but rather leaves that decision up to individual companies. While this flexibility is great in some ways, it can leave firms struggling to decide how to craft the right framework for their business, and do so quickly as the clock ticks toward the January enforcement deadline.
Clients Trust ECI as a Partner for ICT Risk Management
Fortunately, the right MSP partner can help companies assess their current operations and craft the right, DORA-compliant framework for ICT Risk Management, alleviating the burden from in house IT and security teams. While DORA doesn’t specify a particular recipe or formula for developing this framework, EU regulators do expect companies to align with standards from the Center for Internet Security (CIS), National Institute of Standards and Technology (NIST) or some other recognized industry framework.
At ECI, we utilize frameworks that encase industry practices from these organizations and from regulators like the SEC to ensure that firms can protect against cyberattacks and interruption of operations. We conduct rigorous assessments to develop a comprehensive road map to remediate any security gaps and maintain compliance. These frameworks and activities are delivered in ECI platforms and services tailored specifically to alternative investment firms and DORA’s compliance requirements.
For instance, the proactive capabilities of our Managed XDR platform dovetail perfectly with DORA’s focus on resilience. That’s because our MXDR platform is designed to facilitate both detection and response. Organizations equipped with ECI MXDR can be highly proactive and even automate some parts of the SOC response – such as isolating endpoints, blacklisting attack IP addresses on firewalls and creating DNS sinkholes. Meanwhile, event driven behavioral analysis helps flag behavior-based signs of an attack in progress to prevent data exfiltration and lateral movement within systems.
Further completing the ICT Risk Management picture is ECI’s comprehensive Governance, Risk and Compliance (GRC) platform, which allows teams to assess various forms of risk and see changes to operational conditions and threats in real-time – including prioritization tools that map criticality of issues and suggested actions for decision support. We chart the full spectrum of organizational risk, including unavoidable inherent risks due to the nature of the business (such regulatory exposure if your firm handles PII, health information or other sensitive data) as well as avoidable risks from gaps in endpoint security, lax access policies or other security risks.
Our GRC support includes initial deployment of vulnerability scanners and security assessment controls mapping; followed by business impact analyses and information security policy development; with subsequent buildout of a full Business Continuity and Incident Response plan and a Vendor Management platform to prevent third party security or compliance risk. Taken together, these steps can help clients get a strong ICT Risk Management Framework in place well before the January DORA deadline.
