days until DORA is in effect on January 17, 2025. Download your cheat sheet here.
The global compliance landscape within the financial sector is highly complex and ever-changing. Firms are subject to a variety of data privacy and security regulations, such as GDPR in Europe, as well as regional regulations in Hong Kong, the United Kingdom and other countries, depending on where their transactions and business activities occur. The sheer number of different regulations and constant changes can make it nearly impossible to ensure compliant continuity.
However, two key regulatory frameworks are particularly important for alternative investment firms: the SEC's newly revised cybersecurity rules in the United States, and the Digital Operational Resilience Act (DORA) in Europe—both of which have rapidly approaching compliance deadlines. To meet the cybersecurity requirements of each, firms should adopt a comprehensive approach to governance and risk management to maximize efficiency while making the updates necessary to ensure compliance with both the SEC and DORA.
Similarities and Differences
Both the SEC and DORA rules are designed to safeguard operations and enhance cybersecurity at financial organizations – including hedge funds, private equity firms and corporate or private banking institutions. Both frameworks require written plans that spell out a company’s cybersecurity measures and how they will be implemented in the face of an attack. Both also emphasize proactive risk management; and each allows some flexibility in tailoring the scope of protections to the size of the company.
That said, there are some variations. For instance, DORA places added focus on resilience, including operational redundancies and other ways to continue operating in the midst of an attack. In addition, while both rules require reporting of cyber incidents, the SEC specifies a short four-day window for doing so. And while the SEC is rolling out enforcement in stages, DORA has a hard deadline of January 17, 2025 for companies to be compliant.
DORA applies to financial organizations in the EU and the SEC rules apply to publicly traded companies in the US. But many alternative investment firms will find this jurisdictional difference to be essentially moot; the international nature of transactions and a reliance on far-flung third-party networks means most companies must ensure compliance with both DORA and the SEC rules. That’s where the right MSP partner can help by enhancing cyber hygiene practices and the organization's entire approach to governance, risk and compliance.
Staying Compliant with SEC and DORA with Advanced Cyber Hygiene and a Strong GRC program
While DORA and the SEC are two different sets of regulations, in most cases financial firms will find that a few strategically chosen security enhancements will go a long way toward making their organization compliant with both. The most impactful areas to focus on are modern cyber hygiene and ensuring a strong governance, risk and compliance (GRC) program is in place.
Cyber hygiene is not a new concept; the term was first used in 2000 during Congressional testimony by internet pioneer Vinton Cerf. But what is new is the level of rigor that’s required in the modern age of AI and other advanced IT that involves more data shared across more locations and systems. Against this backdrop, modern cyber hygiene needs to cover not just the age-old basics – such as MFA, encryption and employee training to spot phishing attacks – but also newer measures like digital media watermarks and callback policies to guard, respectively, against visual and audio deepfake attacks.
All these cyber hygiene efforts fall within the larger context of what should ideally be a comprehensive Governance, Risk and Compliance (GRC) program that covers the entire organization. The best GRC programs are ongoing and iterative – typically beginning with vulnerability scanning and baseline assessments of security controls before moving on to deeper business impact analyses and the drafting of a formal plan that must be submitted to regulators.
Organizations that cover all the above bases on the cyber hygiene and GRC front will find it much easier to stay compliant with both SEC and DORA, not to mention the other regional regulations we mentioned earlier. Best of all, firms don’t need to cover these bases alone. ECI is a trusted MSP partner to clients around the world – known for our expertise in aligning services with the domain-specific priorities, threats and regulatory rules that most impact financial services and alternative investment firms.
Learn more how ECI can help your organization stay compliant with SEC and DORA.
