It’s no surprise that managing risk across information and communication technology (ICT) in the financial services industry is a tough job. Both retail and corporate banking customers expect their data to be highly secured. At the same time, they’re not
afraid to take their business elsewhere when unable to rapidly access what they need through the channel of their choice.
To add to this, boardroom executives are facing rising pressure to rationalise, reduce total costs of ownership (TCO), and accelerate fintech innovation to drive profitability. And that’s not even mentioning the ever evolving cybersecurity threat landscape.
No wonder that many in the industry view the advent of the European Union (EU)
Digital Operational Resilience (DORA) regulations/directive with a certain degree of disdain.
What’s the Sense of Urgency?
Before getting into the weeds, let’s address the elephant in the room – why is DORA important, and what’s the rush? After all, financial services has always been (and will always be) one of the most highly regulated industries out there. Regulations come
and go, and there’s time, especially given that DORA only entered force on 16 January 2023, and is not due to be enforced until January 2025 – right? Wrong.
DORA forms part of the EU’s wider
Digital Finance Package and is aimed at ushering-in convergence of security and resilience practices across the EU financial services landscape. As such, DORA touches all of the 22,000 financial service providers, their ICT suppliers, and the growing third-party
(TPP) ecosystem. This is precisely why DORA should be seen as a “big deal.”
What’s DORA Anyway?
But before getting too excited about the upside, let’s dive into the detail. DORA applies to most of the regulated financial providers operating in the EU market. Driven by the EU desire to harmonise digital financial services and their growing ubiquity,
DORA aims to strengthen and standardise the arrangements for digital operational resilience where a service is adversely affected by large-scale cybersecurity attack.
The Magic Link with Digital Identity
At a helicopter-level, DORA places obligations on providers to establish strong cybersecurity and business recovery strategies, build-up comprehensive detection/rapid response capabilities, develop the means to withstand disruptions caused by common cybersecurity
attacks, while securing their TPP/third-party ICT ecosystems.
Financial service leaders looking to accelerate their DORA readiness in the remaining 15 months of the implementation window should be looking to their IAM teams to do three things:
1. Leverage AI-driven IAM to build-up ICT risk management capabilities (ICT risk management pillar):
Anytime a consumer, worker, or a partner attempts to access an application, a system, or a data store they leave behind digital access breadcrumbs, also referred to as “identity access signals.” These can be simple things such as the IP address, device type,
and geographical location, or more complex points such as biometric data, behavioural signals, and third-party verification data.
These signals can flag-up risky access behaviours in real-time. Automating how these signals are collected, analysed, and used to form known patterns of engagement with the aid of AI and ML, helps financial service providers mitigate malicious access requests
while building-up a picture of the ICT risk across all access journeys.
2. Identify and rectify access blind spots across first- and third-party ecosystems (operational resilience testing pillar):
Being able to deliver sustained value to retail and corporate customers across the financial services landscape is predicated on providers’ ability to expand their third-party ecosystem at pace. It’s inevitable that as that happens, an increasing number
of workers, partners, and ICT suppliers will need to have access to those very applications, systems, and data to deliver a streamlined, secure, and scalable service.
Security leaders know all too well that this creates “entitlement creep” and overprovisioned access. These access “blind-spots” are exploited by malicious actors to gain unauthorised access to mission-critical systems, exfiltrate data, and change configurations
that ultimately undercut digital operational resilience and business continuity.
3. Define and execute plans for IAM platform convergence (all pillars):
Many leading financial service providers that compete with digitally-native fintechs are operating home-grown and legacy third-party IAM infrastructure. This not only presents malicious actors with an extensive attack plane and undercuts providers’ digital
operational resilience, but also inhibits agility, ecosystem expansion, and ultimately their ability to deliver value-added customer-facing services that drive revenue growth. Legacy IAM infrastructure is also invariably dependent on highly specialised IT
resources further driving up technical debt and TCO.
It’s no surprise that many financial service providers are increasing their IAM focus and investments to reduce TCO and drive digital operational resilience in the longer-term. But many of these organisations are presented with a difficult choice: rip-and-replace,
or sustain legacy. The good news is that leading IAM vendors now provide these very organisations with both the tools and flexibility to manage the transition to converged IAM platforms at their pace across all self-managed, hybrid, and SaaS environments,
and all complex use-cases.
Financial service providers should embrace DORA and refocus their compliance efforts on looking at the larger digital operational resilience picture across the first- and third-party ecosystem. Adopting a holistic perspective provides opportunities for leveraging
converged IAM capabilities to further accelerate customer-lifetime value, reduce TCO, and improve sustained profitability, beyond securing customer data and critical infrastructure, as important as those missions are in and of themselves.