Financial sector splashes out for cyber resilience
Costs to UK businesses and employees rise as the financial sector prepares for the launch of the Digital Operations Resilience Act (DORA), which comes into effect on Friday.
The regulation was designed to increase the financial system’s resilience to cyber threats by introducing requirements for ICT risk management, operational testing and contingency planning.
Nearly half (43 per cent) of UK financial services have been predicted to miss the DORA deadline, according to recent data from Orange Cyberdefence.
Tim Wright, technology lawyer at Fladgate, commented: “Judging from the activity we are seeing, many financial institutions are not fully prepared for DORA implementation, suggesting varying levels of readiness.”
“Smaller firms in particular face greater challenges due to resource constraints and the complexity of DORA’s 500-plus requirements, as well as having to deal with a wide range of third-party service providers”.
While necessary, the financial sector are breaking the bank in preparation, with 47 per cent of firms spending over €1m (£842,000) on compliance efforts over the last two years ahead of DORA, according to research from Rubrik Zero Labs.
28 per cent also reported spending over €500,000 and €1m (£421,000 – £842,000).
These expenses covered upgrades to technology stacks, hiring contractors, and establishing audit committees, with more costs anticipated as organisations continue building long-term resilience.
Rubrik found that its implementation has also taken a toll on cyber security teams, with nearly 80 per cent of chief information security officers (CISOs) in the UK reporting mental strain from the pressure to meet regulatory requirements.
Yet, DORA’s frameworks are necessary in offering cyber resilience to organisations.
Rubrik’s research found that ransomware remains the top threat to UK financial institutions, with 46 per cent of respondents citing it as their greatest cyber security concern.
Other key risks reported include third-party compromises and vulnerabilities in software supply chains.
James Hughes, VP of sales and enterprise CTO at Rubrik, said: “Given the increasing threat of ransomware and third-party compromise, the implementation of regulations is required and expensive.
“Understanding what data is the most critical, where that data lives, who has access to it, is essential to identifying, assessing, and mitigating ICT risks. If good hygiene practices like these are not followed, organisations can now receive fines from the Financial Conduct Authority (FCA)”.
There is also a disconnect between chief information security officers (CISOs) and other executives, as nearly three quarters of CISOs stated that their IT budgets do not align with board–level priorities for regulatory compliance.
Hughes added: “There is a critical gap between board-level understanding and reality. While regulators are increasingly stringent, many CISOs feel their budgets don’t adequately reflect the boar commitment to compliance.”
“This disconnect jeopardises not only the organisations’ security posture but also their ability to meet evolving regulatory demands”, he said.