The Digital Operational Resilience Act (DORA) represents a pivotal shift in the European Union's approach to strengthening the financial sector's defences against cyber threats. Enacted as Regulation (EU) 2022/2554, DORA underscores cybersecurity as an integral facet of operational resilience.
This legislative move recognizes the escalating frequency and evolution of cyberattacks targeting financial institutions. We saw this play out in IBM’s 2023 Cost of a Data Breach Report—with the financial industry being the second costliest industry when targeted by cyber criminals, coming in at an average data breach cost of $5.90 million.
To better maintain the public’s trust, business continuity, and stability of financial systems, regulators sought a way to accomplish these goals. DORA's enactment met the need for both heightened cybersecurity posture and organizational preparedness.
In this blog, we will unpack the broader impacts of DORA, highlight several of the regulatory Articles from within DORA’s Chapter II: ICT Risk Management, and later, we will discuss how organizations can satisfy these Articles with BeyondTrust solutions.
Understanding DORA and its Broader Impact
DORA's primary objective is to bolster the operational resilience of the financial sector, and broadly speaking, ensure that institutions can withstand, respond to, and recover from Information and Communication Technology (ICT)-related disruptions and threats.
The regulation mandates a comprehensive set of cybersecurity measures and pushes the need for financial entities across the European Union to develop and maintain advanced protection, detection, containment, recovery, and repair capabilities. Specifically, DORA introduces rigorous requirements, including:
- Risk management frameworks
- Cybersecurity protocols
- Secure data handling and transmission
- Detailed incident reporting mechanisms.
These provisions are all designed to enhance the defences of financial institutions against cyberattacks, minimize the risk of operational disruptions, and uphold the overarching consumer trust and reliability of the financial system.
Unpacking the Regulatory Articles from DORA’s Chapter II: ICT Risk Management
Article 5: Governance & Organization
Article 5 of the Digital Operational Resilience Act (DORA) underlines how robust governance and organizational structures for financial institutions should aid in effectively managing Information and Communication Technology (ICT) risks.
This requirement ensures a well-structured approach to cybersecurity and risk management within the financial sector.
Article 7: ICT Systems, Protocols, and Tools
Article 7 is dedicated to the rigorous testing of ICT tools, systems, and processes, ensuring that financial institutions can maintain operational resilience against potential disruptions and threats.
This segment also enforces a structured regimen of regular testing to evaluate the robustness of ICT frameworks against various cyber threats.
Article 8: Identification
Article 8 of the Digital Operational Resilience Act (DORA) stresses the importance for financial institutions to establish robust mechanisms for the early identification and detection of ICT risks. These risks encompass threats and vulnerabilities within their ICT systems and the broader digital ecosystem in which they operate.
The main goal is to proactively identify and assess digital operational risks, enabling institutions to implement preventative measures before these risks can evolve into significant disruptions and/or full-blown cyberattacks.
Article 9: Protection & Prevention
Article 9 mandates financial institutions to implement comprehensive technical and organizational measures to protect against and prevent ICT-related incidents.
This directive aims to safeguard the integrity, availability, and confidentiality of systems and data, necessitating robust defences against cyber threats, data breaches, and system failures to uphold operational resilience.
Article 10: Detection
Article 10 highlights the critical role of detection in ICT risk management, necessitating that financial institutions implement effective systems and procedures to promptly detect ICT-related incidents.
It further emphasizes the need for early identification of potential threats and vulnerabilities to mitigate their impact on operational capabilities, advocating for continuous monitoring and detection mechanisms to rapidly spot signs of cyber threats, breaches, or system failures.
Article 11: Response & Recovery
Article 11 of the Digital Operational Resilience Act (DORA) mandates financial institutions to have robust plans and procedures in place for the effective response to and recovery from ICT-related incidents.
Institutions, if they desire to adhere to Article 11, need to swiftly assess, contain, and mitigate the effects of incidents, and to restore normal operations with minimal service disruption, ensuring the resilience of data and system integrity, availability, and confidentiality.
Article 16: Simplified ICT Risk Management Framework
Article 16 of the Digital Operational Resilience Act (DORA) introduces a "Simplified ICT Risk Management Framework," specifically designed for smaller financial entities or those with a lower risk profile.
This approach acknowledges the diversity of financial institutions and promotes a proportionate method to ICT risk management, allowing these entities to comply with the core principles of identifying, protecting against, detecting, responding to, and recovering from ICT-related incidents in a way that reflects and aligns with their size, complexity, and specific risk nature.
The Role of BeyondTrust Solutions in Enhancing Cybersecurity Compliance
Against the backdrop of DORA's stringent cybersecurity mandates, BeyondTrust's solutions are crafted to ensure that financial entities can effectively manage and secure privileged credentials and access, a core component of the cybersecurity resilience DORA aims to establish.
Through its advanced Identity Security and PAM solutions, BeyondTrust provides a robust framework for managing and monitoring privileged access, ensuring that financial institutions can protect against unauthorized access and potential security breaches. These capabilities, when implemented, directly support the broader objectives (Articles) of DORA in enhancing the sector's operational resilience.
Below, we will briefly cover different products from the BeyondTrust Platform and list the associated DORA articles with which the products help organizations adhere to.
Identity Security Insights
Gain a centralized view of identities, accounts, entitlements, and privileged access across your IT estate and detect threats resulting from compromised identities and privileged access misuse.
Article 5, Governance & Organization
- BeyondTrust Identity Security Insights uncovers and offers insights into identities, accounts, privileges, entitlements, and access pathways across the identity landscape, encompassing on-premises, cloud, and SaaS environments. It enables organizations to identify where privileges are located, their interconnections, where controls are insufficient, and potential points of abuse within their interconnected environment. This visibility empowers them to make informed decisions and establish effective policies that enforce least privilege access and controls.
Article 7, ICT Systems, Protocols, and Tools
- Identity Security Insights is engineered to analyse and monitor identities, entitlements, and access privileges across an organization's IT environment, which encompasses on-premises, cloud, and hybrid systems. By identifying and documenting where privileges, entitlements, and access pathways are present, it helps pinpoint vulnerabilities related to identity and access management that could potentially be exploited during an ICT disruption.
Article 8, Identification
- Identity Security Insights leverages behavioural analytics to scrutinize user behaviours and access patterns, detecting anomalies that could signal potential security risks or vulnerabilities. This proactive detection mechanism is particularly effective for monitoring privileged accounts, aligning seamlessly with DORA's mandate for robust ICT risk identification processes.
Article 9, Protection & Prevention
- Identity Security Insights enhances identity hygiene and security posture by offering extensive "threat-aware" visibility into identities, privileges, identity misconfigurations, and risks throughout your identity infrastructure, including on-premises environments, clouds, SaaS, and Identity Providers (IdPs). It incorporates privileged access management controls that help minimize the attack surface associated with excessive and unnecessary privileges. This is achieved by enabling restrictions on access, enforcing policy compliance, and right-sizing privileges.
Article 10, Detection
- Identity Security Insights is at the forefront of meeting Article 10’s demands, providing advanced analytics to continuously monitor and analyse user behaviour. By identifying deviations from normal usage patterns, it helps detect potential security threats early, facilitating quick preventative actions. This aligns with the effective detection systems required by Article 10, ensuring prompt identification of potential cyber risks.
- Identity Security Insights not only monitors but also assesses and scores the risks associated with user behaviours and access patterns. This proactive approach allows organizations to focus their security efforts on the most critical threats, aligning with DORA’s mandates for pre-emptive threat and vulnerability identification.
Article 16, Simplified ICT Risk Management Framework
- Identity Security Insights offers a scalable solution that provides visibility into the risks associated with user identities and access within an organization's ICT systems. It allows for a tailored approach to risk management, concentrating on the most pertinent identity and access management risks for each entity, thereby aligning with the simplified framework required by Article 16.
- The solution enables customization of monitoring and alerts to fit the unique risk profile and regulatory needs of each financial entity. This adaptability ensures that smaller institutions can maintain a focused oversight on essential assets and user activities, achieving compliance efficiently without the complexities of an all-encompassing monitoring system.
- Identity Security Insights streamlines the compliance reporting process, producing targeted reports that illustrate compliance with the simplified ICT risk management framework. This streamlined reporting is invaluable for smaller entities, helping them demonstrate compliance effectively without extensive resource investment.
- The tool aids in understanding the specific identity risks pertinent to an entity, especially those associated with privileged access. By pinpointing potential areas of vulnerability, it supports the development of focused and effective risk mitigation strategies that are proportionate to the operational scale and needs of the entity.
- Identity Security Insights enhances the ability of smaller financial entities to develop response and recovery strategies that are appropriately scaled. This support is crucial, ensuring that these entities can manage ICT incidents efficiently without the complexities of a more elaborate response and recovery infrastructure.
Privileged Remote Access
Extend privileged access security best practices beyond the perimeter by granularly controlling, managing, and auditing remote privileged access for employees, vendors, developers, and cloud ops engineers.
Article 5, Governance & Organization
- The centralized Privileged Remote Access platform facilitates the establishment of detailed role definitions and improves identity accountability through meticulous management and monitoring of privileged user activities. This aligns with DORA’s call for transparent governance structures.
Article 7, ICT Systems, Protocols, and Tools
- Privileged Remote Access ensures that third-party testers have secure and regulated access, safeguarding the integrity of the testing environment.
Article 8, Identification
- Privileged Remote Access allows financial institutions to secure and control access to their networks and systems for remote employees and third-party vendors. Monitoring and auditing of these remote access sessions help in pinpointing potential security threats, such as unauthorized access or hazardous user behaviours, thereby enhancing the identification and management of ICT risks.
Article 9, Protection & Prevention
- Stringently controlled and secure remote access is paramount to align with the protective and preventive mandates of Article 9. Privileged Remote Access provides secure, regulated access to an institution's networks and systems, encompassing both internal and external users. Implementing stringent access controls and continuous monitoring of remote connections, it plays a pivotal role in preventing unauthorized access and potential data breaches.
Article 11, Swift Incident Response
- Privileged Remote Access plays a critical role in facilitating swift incident response. It allows secure and controlled access to the institution's networks and systems for internal response teams and external support, enabling rapid action in the face of an incident. This capability is essential for quick containment and mitigation efforts, ensuring that response personnel can address the situation promptly, irrespective of their location.
- The capability to contain and isolate affected systems is integral to maintaining control during an incident and minimizing its impact across the organization's IT infrastructure. Privileged Remote Access can also isolate affected systems, preventing the spread of the issue and aiding in effective containment.
Endpoint Privilege Management
Enforce least privilege dynamically to prevent malware, ransomware, and identity-based attacks, achieve compliance across Windows, macOS, and Linux endpoints, and enable your zero-trust strategy — without compromising on productivity.
Article 7, ICT Systems, Protocols, and Tools
- Endpoint Privilege Management applies the principle of least privilege, crucial in mitigating risks associated with potential vulnerabilities during testing, especially in software applications.
Article 8, Identification
- Endpoint Privilege Management reduces the risk of exploitation by limiting access rights to only what is necessary for specific tasks, for only the finite moments they are needed. This minimizes the attack surface and aids in the early detection of software vulnerabilities and misconfigurations. Enforcing strict control over privileges prevents the spread of malware, ransomware, and other threats, bolstering the ICT systems' resilience against potential risks.
Article 9, Protection & Prevention
- Endpoint Privilege Management enforces the principle of least privilege, restricting user access rights to only what is necessary for their job functions. This minimization of privileges curtails the risk of malware spread and data breaches. Additionally, the control over application usage prevents unauthorized or malicious software execution, crucial for safeguarding against software vulnerabilities and external threats, in line with Article 9’s prevention requirements.
Article 11, Swift Incident Response
- Endpoint Privilege Management, especially on Linux servers, is essential for adhering to security directives by ensuring that users adhere to the principle of least privilege. By defaulting to minimal access rights, it minimizes the risk of a security breach, restricting user permissions to only those tools and commands essential for their specific roles. In the event of a breach, this approach helps to contain the impact, as malicious actors or compromised accounts are limited in their access to critical system resources.
Password Safe
Manage privileged passwords, accounts, credentials, secrets, and sessions for people and machines, ensuring complete control and security — all while enabling zero trust.
Article 5, Governance & Organization
- Password Safe provides a centralised platform for managing privileged access, aligning with the need for a clear governance framework. It allows for detailed role definitions and enforces accountability by managing and monitoring privileged user activities.
Article 7, ICT Systems, Protocols, and Tools
- Password Safe ensures that access during testing phases is securely managed, providing testers with the necessary credentials while minimizing the risk of security compromises.
Article 8, Identification
- Password Safe centralizes the management of privileged credentials, drastically lowering the possibility of unauthorized access or security breaches. This centralized management system aids in identifying potential exploit points for privileged access by malicious entities, directly addressing a crucial element of ICT risk.
Article 9, Protection & Prevention
- Password Safe secures, manages, and monitors privileged account credentials, ensuring that only authorized users can access critical systems under strict conditions. This management includes automating the rotation and enforcement of robust password policies, effectively reducing the risk of credential theft and supporting compliance with Article 9’s protective protocols.
Article 11, Swift Incident Response
- Password Safe ensures that during the recovery phase, access to critical systems is strictly managed. This includes controlling and auditing access to privileged accounts, which is crucial for safeguarding the recovery process against unauthorized access or subsequent breaches, thus ensuring a streamlined and secure recovery process.
- Post-incident, the automated credential rotation feature of Password Safe facilitates the swift re-securing of access points, restoring the integrity of access controls. This automation is vital for efficiently reinstating secure operations following an incident, thereby supporting a thorough and effective recovery process.
Going Beyond Compliance with The BeyondTrust Platform
BeyondTrust's Privileged Access Management (PAM) and identity security solutions provide organizations with the robust tools required to meet and exceed the mandates of the Digital Operational Resilience Act (DORA). By offering detailed audit trails and reporting functionalities, BeyondTrust ensures that financial institutions can maintain the transparency and oversight essential for effective ICT risk management.
Additionally, the enhanced visibility into digital assets and identities that BeyondTrust provides is crucial for detecting potential security breaches, from unauthorized access attempts to insider threats. These capabilities not only support compliance with DORA’s stringent regulations but also significantly fortify the cyber resilience of organizations, safeguarding the overall integrity and stability of financial systems in an increasingly interconnected world.
For more information about how your organization can meet the requirements of the Digital Operational Resilience Act, contact us today, or download our whitepaper to gain a more in-depth overview of how BeyondTrust's solutions map to DORA's mandates.
Allen Longstreet, Content Marketing Writer
Allen is a content marketing writer at BeyondTrust. He has a wealth of experience building content strategy for tech start ups and SAAS businesses. He has a passion for video production, creative storytelling, and the intersection between the two.