Many banks are not ready for the EU’s tough new cyber security law

Tough new European Union regulations requiring banks to strengthen their cyber security systems officially come into force on Friday – but many of the bloc’s financial services firms are still not fully compliant.

The EU’s Digital Operational Resilience Act, or DORA, requires both financial services firms and their technology suppliers to harden their IT systems to ensure the industry is resilient in the event of a cyber attack or any other form of disruption. It entered into force on January 17.

Penalties for breaches of the new legislation can be substantial. Financial services firms that fall foul of the new rules could face fines of up to 2% of annual global revenue. Individual managers can also be held liable for violations and face sanctions of up to 1 million euros ($1 million).

So far, the degree of compliance among financial services firms with the new rules has been mixed, according to Harvey Jang, chief privacy officer and deputy general counsel at IT giant Cisco.

“I think we’ve seen a mixed bag,” Yang told CNBC in an interview. “Certainly, more mature-stage companies are looking at this for at least a year — if not longer.”

“We’re really trying to build this compliance program, but it’s so complex. I think that’s the challenge. We’ve also seen that with GDPR and other broad legislation that’s subject to interpretation — what it actually means to agree? means different things to different people,” he said.

This lack of a common understanding of what qualifies as strong compliance with DORA has led many institutions to raise security standards to such a level that they are actually exceeding the “baseline” of what is expected of most firms, he added. Jang.

Under DORA, financial firms will be required to undertake rigorous IT risk and incident management, classification and reporting, operational resilience testing, intelligence sharing on cyber threats and vulnerabilities and measures to manage third-party risks .

Firms will also be required to conduct “concentration risk” assessments in relation to outsourcing critical or important operational functions to external companies.

A general census survey of 200 chief information security officers in the UK, commissioned by Orange Cyberdefense, the cyber security division of the French telecoms firm ORANGEshowed that 43% of financial institutions in Britain are still not fully compliant with DORA.

This is a concern because, although the UK now falls outside the European Union, DORA applies to all financial entities operating within EU jurisdictions – even if they are located outside the bloc.

“While it is clear that DORA has no legal reach in the UK, entities based here and operating or providing services to entities in the EU will be subject to the regulation,” Richard Lindsay, principal advisory adviser at Orange Cyberdefense, told CNBC.

He added that the main challenge for many financial institutions when it comes to achieving DORA compliance has been managing their critical third-party IT providers.

“Financial institutions operate within a multi-layered and extremely complex digital ecosystem,” said Lindsay. “Tracking and ensuring that all parts of this system are demonstrably compliant with the relevant elements of DORA will require a new mindset, solutions and resources.”

Banks are also adding higher levels of scrutiny to their contract negotiations with technology suppliers because of DORA’s strict requirements, Jang said.

Cisco’s chief privacy officer told CNBC that he thinks there is alignment when it comes to the principles and spirit of the law. However, he added, “any legislation is a product of compromise and so as they become more prescriptive, then it becomes challenging.”

“Principles we agree with, but any legislation is a product of compromise, and as they become more prescriptive, then it becomes challenging.”

However, despite the challenges, the widespread expectation among experts is that it will not be long before banks and other financial institutions achieve compliance.

“Banks in Europe are already compliant with important regulations covering most of the areas that fall under DORA,” Fabio Colombo, EMEA head of financial services security at Accenture, told CNBC.

“As a result, financial services institutions already have mature governance and compliance capabilities, with existing incident reporting processes and solid ICT risk frameworks.”

IT providers can also be fined under DORA. The rules threaten taxes of up to 1% of average daily earnings worldwide for up to six months.

“These sanctions are necessary,” Brian Fox, chief technology officer of software supply chain management firm Sonatype, told CNBC. “They are a powerful motivator, pushing leaders to take compliance and operational sustainability more seriously than ever.”

Orange Cyberdefense’s Lindsay said there is a long-term risk that financial services firms will end up moving their critical security functions and services in-house.

“Advances in technology can allow financial institutions to bring services in-house, simplifying this aspect and reducing the risk of non-compliance,” he said.

“However, existing contracts will need to be updated to ensure that compliance is contractually mandated and monitored between the entity and the provider,” Lindsay added.

Meanwhile, there are several other cybersecurity-focused regulations that organizations will need to comply with, such as the Network and Information Security Directive 2, or NIS 2, and the Cyber ​​Resilient Act. The first one entered into force in October.

“As with any new regulation, there will certainly be a transition period as organizations adapt to the new requirements and standards,” Sonatype’s Fox told CNBC. “This is the beginning of a long journey toward improving software security and resilience.”