Cecabank has participated in the analysis of the impact of the new mandatory regulation promoted by the European Union to address financial cybersecurity.
After two years of preparation, tomorrow the Digital Operational Resilience Regulation (known as DORA), established by the EU on 16 January 2023, is beginning to be applied in the European Union, which aims to strengthen the IT security of more than 10,000 European financial institutions, including banks, insurance companies and investment firms , and ensuring that the European financial sector is able to withstand cyberattacks that try to compromise the security of its operations.
DORA harmonises the standards relating to the operational resistance of the financial sector and applies to 20 different types of financial institutions and service providers based on information and communications technologies (ICT) to third parties.
To announce the implementation of the regulation, the US multinational Kyndryl, a provider of ICT infrastructure services, founded in 2021 as a spin-off of the infrastructure services business of IBM, has organised an informative meeting this morning, in which the DORA report was submitted, which analyses the impact and main challenges of implementing this regulation in financial institutions.
The report in question , drafted by the Spanish financial, economic and technological consultancy firm Analistas Financieros Internacionales (AFI), commissioned by Kyndryl, has been carried out through confidential and anonymous interviews with financial institutions such as the Bank of Spain, the INCIBE, Banca March, Laboral Kutxa, Bankinter, Santander, Mapfre, Cecabank, Unicaja, Sanitas, CaixaBank, Sabadell and BBVA .
After talks by David Soto, Chairman of Kyndryl Spain and Portugal, and Borja Foncillas, Chairman and CEO of AFI, who explained the importance of DORA within the digital transformation of financial institutions, Esteban Sánchez Pajares, Managing Partner at AFI, summarised the main conclusions of the report, including the work being carried out by the entities to strengthen their cyberresilience. Kris Lovejoy, Global Security and Resilience Practice Leader en Kyndryl, then interviewed Silvia Senabre, Head of the Technological Risk Group of the Directorate General for Supervision of the Bank of Spain. The core of the event then began: A roundtable in which representatives of several of the companies and bodies interviewed for the preparation of the report—the aforementioned Senabre; Òscar Domènech, Business Continuity Director at CaixaBank; Roberto Rodríguez, Chief Operational Resilience Officer of Banco Santander; Guillermo Llorente, Corporate Director of Security at MAPFRE and Ricardo López, Director of Non-Financial Risks and Compliance at Cecabank, gave their views on this new regulatory framework.
The Head of the Technological Risk Group of the Directorate General of Supervision of the Bank of Spain pointed out that “DORA is not something that is about companies "ticking boxes" so that the supervisor does not fine me. The aim is for companies to incorporate resilience into their business. These businesses need resilient technology that supports the business all the time, because business and technology have to go hand in hand. At all times of the business, we must think about its resilience. It has to be embedded at all levels. And all the people who make up the organisation, from the concierge to the CEO, have to work to achieve resilience. DORA is not just a regulation or another request from the supervisor, but rather: something that helps, although of course, it will also generate a lot of work. And there's so much more to come! You see, tomorrow I will be able to celebrate that the regulation is in force, but the work is not over tomorrow, not by a long shot.”
The vision of regulated companies was proactive. For Òscar Domènech, “the key idea is that resilience is a part of corporate culture.” According to him, DORA means “simplifying or at least becoming a cohesive core of several regulations, but there will still be various regulations, and we will continue to have to report to different regulators depending on our business, and there will be regulatory updates. Regulation is a living being. If you adapt to or comply with the regulations just to comply with them and do so "at the time of inspection" or when the rules are being updated, this will mean disruption to your organisation and your processes, because there is always a blockage and a strain. When you incorporate the resilience of your usual processes into your corporate culture, standards help you see where you have to go and the effort is much smaller. ”
For Roberto Rodríguez, “Historically, financial institutions have been highly regulated, so DORA is part of an almost continuous process. And I think it helps that other players are included in the regulation, such as technology providers, because the final goal is for the sector to be more resilient and that guarantees that we will offer better service to customers. In this regard, having these common rules and a common language is helping.”
Representing one of the most multinational insurance companies, Guillermo Llorente went on to say that “we were all applying resilience measures long before DORA arrived, because we would not be here otherwise. We all want to offer customers the best service in a given situation, such as, for example, in an event like the recent flooding in Spain (DANA). DORA is not the key to offering the best service, but we are multinational and DORA offers us a common standard of homogeneity compared to international regulation, at least in a very broad geographical territory. ”
Lastly, Ricardo López pointed out that “the main aspects of DORA are, on the one hand, not just having marginal aspects covered such as continuity, contingencies, incident detection, reporting, etc., but also coordinating all these elements, and that is very complex: it is the risk management framework. Furthermore, DORA is a tool that allows you to permanently face challenges to your operational resilience model, because it is a universally recognised regulation.”
By way of conclusion
The financial sector is increasingly dependent on technology and technology companies to provide financial services. This means that financial institutions have been vulnerable to cyberattacks or incidents and for years have been establishing computer security protocols and measures, but the threat situation has become increasingly severe. With the Digital Operational Resilience Act (DORA), the EU provides a framework to help build cyber resilience holistically, given that, when they are not managed properly, ICT risks can cause interruptions to (or, directly, collapse) transnational financial services. This, in turn, can have an impact, like a domino effect, on other companies, sectors and even on the economy as a whole, which highlights the importance of the financial sector's digital operational resistance. And this is where the DORA comes into play. Although it will initially regulate the activity of financial institutions and providers of ICT-based services, it is more than likely to become mandatory in other sectors to which this act or similar regulation applies.
DORA specifically addresses existing vulnerabilities in the field of ICT, security and risk management that exist among providers of financial and ICT services. But these vulnerabilities can also occur in the organisations of other sectors. Therefore, similar regulations are likely to be applied to these sectors, especially in companies that work in sensitive areas such as critical infrastructures, which should be familiar with the main aspects of DORA at an early stage.
