Lockbit: from Genesis to the Last Judgment
In the financial sector, cyberattacks have surged dramatically. Between Q2 2022 and Q2 2023, cyberattacks against financial services companies in Europe more than doubled, increasing by 119%. This alarming trend underscores the urgency of complying with the Digital Operational Resilience Act (DORA). DORA aims to ensure high digital operational resilience for all regulated financial entities. Published in the Official Journal of the EU in November 2022, DORA mandates that financial entities report major ICT-related incidents promptly and comprehensively to supervisory authorities and market participants, enabling a swift and appropriate response within the EU financial system. DORA comes into effect on January 17, 2025, across all EU member states, complementing existing laws such as the Network and Information Security Directive (NISD), NIS2, and the General Data Protection Regulation (GDPR).
DORA introduces a paradigm shift with its focus on “resilience.” Financial sector companies must organize from the outset to manage failures and cyberattacks effectively.
DORA applies to nearly all types of financial entities within the European Union. While banks and insurance companies are the most obvious, many other organizations are also covered under Article 2 of DORA. Furthermore, DORA requires financial entities to manage risks associated with third-party providers, necessitating that these providers also comply with DORA regulations.
Benefits of integrating cybersecurity standards into DORA
Security standards offer globally recognized best practices. Aligning DORA with these standards ensures consistent management of cybersecurity and compliance. Key standards to consider include:
- NIST Cybersecurity Framework (NIST CSF)
- CIS Controls
- ISO 27001 and 27002
Organizations can simplify their management processes by leveraging existing infrastructure and resources. This management can be facilitated through user-friendly tools, allowing for streamlined operations.
Clear guidelines provided by these standards facilitate the prioritization of efforts and the allocation of resources based on the importance and impact of each control.
Standards can be selected and adapted according to the size, activity, and challenges of the organization. By aligning with DORA, cybersecurity measures remain flexible in the face of regulatory and technological changes.
Cybersecurity standards inherently include the concept of continuous improvement. By aligning these standards with DORA, organizations can keep their cybersecurity measures up to date against new threats.
Comply to DORA by implementing ISO 27001
ISO 27001, along with its companion Information Security Management System (ISMS), provides organizations with a structured framework to comply with DORA. However, certification alone is not a guarantee of compliance; it depends on how the ISO standard is implemented. Not all DORA requirements are fully covered by ISO 27001/27002, so additional or modified controls will be necessary.
Key areas where ISO 27001 supports DORA compliance:
- ICT Risk Management: ISO 27001 requires an information security risk assessment and implementation of appropriate controls, aligning with DORA’s systematic risk management processes.
- Incident Response and Reporting: ISO 27001 defines controls for managing security incidents, corresponding with DORA’s incident reporting requirements.
- Digital Operational Resilience Testing: ISO 27001 includes controls for business continuity planning, aligning with DORA’s resilience testing requirements.
- Third-Party ICT Risk Management: ISO 27001 sets controls for managing information security with third parties, supporting DORA’s third-party risk management requirements.
- Information Sharing: ISO 27001 includes controls for information sharing and threat intelligence, supporting DORA’s external information-sharing mechanisms
Relevant controls mapping from the ISO 27001 frameworks to the 5 main pillars of the DORA.
ID.AM-05:
Assets are prioritized based on classification, criticality, resources, and impact on the mission
ID.RA-02:
Cyber threat intelligence is received from information sharing forums and sources
ID.RA-08:
Processes for receiving, analyzing, and responding to vulnerability disclosures are established
ID.RA-03:
Internal and external threats to the organization are identified and recorded
ID.IM-04:
Incident response
plans and other cybersecurity plans that affect operations
are established, communicated, maintained, and improved
PR.IR-02:
The organization’s technology assets are protected from environmental threats
PR.IR-03:
Mechanisms are implemented to achieve resilience requirements in normal and adverse situations
PR.IR-04:
Adequate resource capacity to ensure availability is maintained
RS.AN-06:
Actions performed during an investigation are recorded, and the records’ integrity and provenance are preserved
RS.AN-07:
Incident data and metadata are collected, and their integrity and provenance are preserved
RC.CO-03:
Recovery activities and progress in restoring operational capabilities are communicated to designated internal and external stakeholder
A.5.29:
Information security during disruptio
A.5.30:
ICT readiness for business continuity
Â
GV.SC-01:
A cybersecurity supply chain risk management program, strategy, objectives, policies, and processes are established and agreed to by organizational stakeholders
GV.SC-02:
Cybersecurity roles
and responsibilities for suppliers, customers, and partners are established, communicated, and coordinated internally and externall
GV.SC-03:
Cybersecurity supply chain risk management is integrated into cybersecurity and enterprise risk management, risk assessment, and improvement processes
GV.SC-04:
Suppliers are known and prioritized by criticality
GV.SC-05:
Requirements to address cybersecurity risks
in supply chains are established, prioritized, and integrated into contracts and other types of agreements with suppliers and other relevant third parties
GV.SC-06:
Planning and due diligence are performed to reduce risks before entering into formal supplier or other third-party relationships
GV.SC-07:
The risks posed by a supplier, their products and services, and
other third parties are understood, recorded, prioritized, assessed, responded to, and monitored over the course of the relationshi
GV.SC-09:
Supply chain security practices are integrated into cybersecurity
and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycl
GV.SC-10:
Cybersecurity supply chain risk management plans include provisions for activities that occur after the conclusion of a partnership or service agreemen
ID.AM-03:
Representations of the organization’s authorized network communication and internal and external network data flows are maintained
ID.AM-04:
Inventories of services provided by suppliers are maintaine
ID.AM-05:
Assets are prioritized based on classification, criticality, resources, and impact on the missio
ID.RA-09:
The authenticity and integrity of hardware and software are assessed prior to acquisition and use
ID.RA-10:
Critical suppliers are assessed prior to acquisitio
PR.AA-01:
Identities and credentials for authorized users, services, and hardware are managed by the organizatio
PR.AA-02:
Identities are proofed and bound to credentials based on the context of interaction
PR.AA-03:
Users, services, and hardware are authenticate
PR.AA-05:
Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of dutie
PR.AA-06:
Physical access to assets is managed, monitored, and enforced commensurate with risk
A.5.19:
Information security in supplier agreement
A.5.20:
Addressing information security within supplier agreement
A.5.21:
Managing information security in the information and communication technology (ICT) supply chai
A.5.22:
Monitoring, review, and change management of supplier service
A.5.23:
Information security for use of cloud services
A.5.24:
Information security incident management planning and preparation
A.5.25:
Assessment and decision on information security events
A.5.26:
Response to information security incidents
A.5.27:
Learning from information security incidents
A.5.28:
Collection of evidence
GV.RM-05:
Lines of communication across the organization are established for cybersecurity risks, including risks from suppliers and other third parties
ID.RA-02:
Cyber threat intelligence is received from information sharing forums and source
ID.RA-03:
Internal and external threats to the organization are identified and recorde
RS.CO-02:
Internal and external stakeholders are notified of incident
RS.CO-03:
Information is shared with designated internal and external stakeholder
RC.CO-03:
Recovery activities and progress in restoring operational capabilities are communicated to designated internal and external stakeholder
RC.CO-04:
Public updates on incident recovery are shared using approved methods and messaging
A.5.5:
Contact with authoritie
A.5.6:
Contact with special interest groups
A.5.7:
Threat intelligence
A.5.14:
Information transfer
A.5.31:
Legal, statutory, regulatory and contractual requirements
Clause 6.1:
Actions to address
risks and opportunities (including all sub-clauses)
Clause 8:
Operation (including all sub-clauses)
Beyond the Bridge: Achieving Full DORA Compliance
While ISO 27001 provides a robust foundation, achieving full compliance with DORA requires additional measures. Organizations must:
- Identify specific DORA requirements not fully covered by ISO 27001, such as incident reporting obligations, third-party risk management procedures, and operational recovery testing.
- Conduct gap analyses and assessments to evaluate their current state against DORA’s requirements.
- Tailor their Information Security Management System (ISMS) to incorporate DORA-specific controls and processes.
- Develop and implement additional documentation mandated by DORA, including incident reporting procedures and recovery plans.
How NIST CSF Compliance Paves the Way for DORA Success
The NIST Cybersecurity Framework (NIST CSF) provides a structured approach to managing and reducing cybersecurity risks, improving communication on risk management and cybersecurity between internal and external stakeholders.
- ICT Risk Management: NIST CSF provides a comprehensive approach to identifying, assessing, and managing cybersecurity risks, aligning with DORA’s risk management pillar.
- Incident Response and Reporting: The “Respond” and “Recover” functions of NIST CSF support response planning, communications, and analysis, aligning with DORA’s incident reporting requirements.
- Digital Operational Resilience Testing: The “Identify” and “Protect” functions of NIST CSF support resilience planning activities, aiding in the identification of vulnerabilities and enhancement of cybersecurity measures.
- Third-Party ICT Risk Management: The “Govern,” “Identify,” and “Protect” functions of NIST CSF support supply chain risk management, aligning with DORA’s supply chain risk management requirements.
- Information Sharing: NIST CSF documents information-sharing subcategories to improve cybersecurity practices, aligning with DORA’s information-sharing pillar.
Here is how the NIST CSF controls can be mapped to DORA’s third-party risk management.
GV.SC-01: A cybersecurity supply chain risk management program, including strategy, objectives, policies, and processes, is established and approved by the organization’s stakeholders.
GV.SC-02: Cybersecurity roles and responsibilities for suppliers, customers, and partners are established, communicated, and coordinated internally and externally.
GV.SC-03: Cybersecurity supply chain risk management is integrated into enterprise cybersecurity risk management, risk assessment, and improvement processes.
GV.SC-04: Suppliers are identified and prioritized based on their criticality.
GV.SC-05: Requirements for addressing cybersecurity risks in supply chains are established, prioritized, and integrated into contracts and other agreements with suppliers and relevant third parties.
GV.SC-06: Planning and due diligence are performed to mitigate risks before entering formal relationships with suppliers or other third parties.
GV.SC-07: Risks posed by a supplier, their products and services, and other third parties are understood, recorded, prioritized, assessed, addressed, and monitored throughout the relationship.
GV.SC-09: Supply chain security practices are integrated into cybersecurity and enterprise risk management programs, with performance monitored throughout the lifecycle of technology products and services.
GV.SC-10: Cybersecurity supply chain risk management plans include provisions for activities following the conclusion of a partnership or service agreement.
ID.AM-03: Representations of the organization’s authorized network communication and internal and external data flows are maintained.
ID.AM-04: Inventories of services provided by suppliers are maintained.
ID.AM-05: Assets are prioritized based on their classification, criticality, resources, and impact on the mission.
ID.RA-09: The authenticity and integrity of hardware and software are evaluated before acquisition and use.
ID.RA-10: Critical suppliers are assessed before acquisition.
PR.AA-01: Identities and credentials of authorized users, services, and devices are managed by the organization.
PR.AA-02: Identities are verified and linked to credentials based on the context of interactions.
PR.AA-03: Users, services, and devices are authenticated.
PR.AA-05: Access permissions, rights, and privileges are defined in a policy, managed, enforced, and reviewed, incorporating principles of least privilege and separation of duties.
PR.AA-06: Physical access to assets is managed, monitored, and enforced proportionally to risks.
Integrating CIS Controls with DORA
In the evolving landscape of global cybersecurity, operational resilience and regulatory compliance are paramount.
The importance of the challenges posed by cybersecurity necessitates a strategic approach by correlating proven frameworks with regulatory requirements.
The CIS Controls are a set of recommended best practices designed to prevent the most common cyberattacks. Developed by cybersecurity experts from the CIS, these controls provide organizations with a structured approach to securing their IT systems and data.
The Critical Security Controls from the Center for Internet Security (CIS Controls v8), with 18 controls, offer concrete recommendations for organizations of all sizes to prevent cyberattacks.
The CIS Controls integrate more than a dozen major international cybersecurity standards, such as SOC 2, HIPAA, MITRE ATT&CK, NIST, and PCI DSS.
Integrating CIS Controls with DORA provides organizations with a comprehensive approach to managing cybersecurity risks and regulatory compliance. It offers a practical methodology to achieve the resilience required by DORA through the proven security practices detailed in the CIS Controls.
Here is how the CIS Controls can be mapped to DORA’s third-party risk management.
CIS Control 12: Network Infrastructure Management
• Identify and assess risks associated with third-party ICT providers, establish contractual requirements for third-party providers to meet security standards, and monitor third- party providers for compliance with contractual obligations.
CIS Control 15: Service Provider Management
• Establish a formal process for evaluating and selecting third-party ICT providers, conduct due diligence assessments to evaluate the security posture of potential providers, and establish contractual agreements that include provisions for security requirements and oversight.
CIS Control 17: Incident Response Management
• Include third-party providers in incident response planning and coordination efforts, establish communication channels for reporting and responding to security incidents involving third-party providers, and conduct regular reviews of third-party provider performance and compliance.
As the frequency and sophistication of cyberattacks in the financial sector continue to rise, compliance with DORA is more critical than ever. By aligning with internationally recognized cybersecurity standards such as ISO 27001, NIST CSF, and CIS Controls, financial institutions can not only meet DORA’s stringent requirements but also enhance their overall cybersecurity posture, ensuring trust and business continuity in an increasingly volatile digital landscape.
By taking a proactive and structured approach to compliance, financial institutions can effectively manage the complex landscape of cybersecurity risks and regulatory demands.
Need help?
Stroople provides compliance mapping against DORA through NIST CSF and ISO 27001 for your organization. Assess your DORA compliance with our experts.
Book an appointment