Beyond Compliance: Achieving Cyber Resilience in the Financial Sector with DORA and TIBER-EU

The financial sector is a prime target for cyber attackers, and the stakes have - quite literally - never been higher. IBM’s 2024 Cost of a Data Breach Report gave weight to the conversation, indicating the average cost of a data breach in the financial industry has reached an eye watering $6.08M USD. In response to the escalating threat landscape, the European Union (EU) has introduced two groundbreaking regulations: the Digital Operational Resilience Act (DORA) and the Threat Intelligence-Based Ethical Red Teaming (TIBER-EU) framework. These regulations are poised to reshape the cybersecurity landscape for financial institutions, demanding a heightened focus on resilience and preparedness. This focus is especially critical given the rising costs of cybercrime and data breaches, which can have devastating financial and reputational consequences for organisations in the financial sector.

The magnitude of the problem is strikingly illustrated by a Bloomberg article, which puts it simply: if cybercrime were measured as a country, it would be the world's third-largest economy, trailing only the US and China. To shed light on these groundbreaking regulations and their implications, SANS Certified Instructor and penetration tester, Chris Dale, joined The Register in a recent webinar, ‘Cybersecurity Regulation Steps Up’. Offering invaluable perspectives on how new regulations like NIS2, DORA, and TIBER-EU will shape the IT security landscape and the financial sector, the webinar also explored the urgency for proactive cyber resilience measures, best practices, and how to navigate implementation challenges. As Chris highlights, these regulations are not just about ticking compliance boxes; they're about creating a culture of continuous improvement and preparedness in the face of evolving threats.

This blog delves into Dale's expert perspectives on DORA and the TIBER-EU framework, exploring their implications for businesses across the EU's financial sector.

DORA: A Five-Pillar Approach to Resilience

DORA, with its January 2025 deadline, focuses on bolstering the operational resilience of financial entities, including banks, insurance companies, and even IT suppliers. It comprises five pillars that address risk management, information sharing, third-party risk, and, crucially, operational resilience testing:

1. Risk Management: Organisations must establish robust risk management practices, including identifying, assessing, and mitigating cyber risks. This involves conducting regular risk assessments, implementing appropriate security measures, and developing incident response plans.
2. Incident Reporting and Information Sharing: DORA emphasises the importance of transparency and collaboration. Financial entities are required to report significant incidents promptly and share information about threats and vulnerabilities with relevant authorities and other organisations.
3. Third-Party Risk Management: Recognising the interconnectedness of the financial ecosystem, DORA mandates stringent third-party risk management. Organisations must carefully assess and manage the risks associated with their suppliers and service providers.
4. Digital Operational Resilience Testing: Regular testing is a cornerstone of DORA. Financial entities are required to conduct basic penetration testing annually and more advanced testing, such as TIBER-EU, every three years.
5. Governance: DORA places a strong emphasis on governance, requiring organisations to establish clear roles and responsibilities, implement robust policies and procedures, and ensure board-level oversight of cybersecurity.

TIBER-EU: Threat Intelligence-Based Ethical Red Teaming

TIBER-EU is the practical arm of DORA, providing a framework for threat intelligence-based ethical red teaming. It requires financial institutions to engage in advanced penetration testing that simulates real-world attacks, pushing their defences to the limit. As Dale explains, "TIBER-EU requires us to do testing, and the testing has to be basic and advanced". This approach helps organisations identify weaknesses and improve their ability to detect, respond to, and recover from sophisticated cyber-attacks.

Navigating Complexities

Implementing DORA and TIBER-EU is not without its challenges. As Dale candidly points out during the webinar, organisations may grapple with the intricacies of these regulations, struggle to secure adequate resources, and find it challenging to integrate cybersecurity into their overall business strategy. The distinction between ‘basic’ and ‘advanced’ penetration testing under TIBER-EU also raises questions about what truly constitutes effective testing in today's threat landscape.

Key Challenges:

• Deciphering Complex Requirements: DORA, in particular, is known for its extensive and detailed requirements. Organisations may find it challenging to interpret these regulations accurately and translate them into actionable steps for their organisations.
• Resource Constraints: The 2024 SANS NIS2 Readiness Survey revealed that nearly half of respondents identified a lack of resources as a major obstacle to implementing NIS2. This challenge likely also extends to DORA and TIBER-EU. Organisations may face tough decisions when allocating budgets and staffing for cybersecurity initiatives, especially in the face of competing priorities.
• Integrating Security into Business Strategy: Cybersecurity can no longer be solely the responsibility of the IT department. It must be integrated into the fabric of the entire organisation, from the boardroom to the front lines. This requires effective communication, training, and a shared understanding of the importance of cyber resilience.
• The ‘Basic’ vs. ‘Advanced’ Testing Dilemma: Dale raises valid concerns about the distinction between ‘basic’ and ‘advanced’ penetration testing under TIBER-EU. Organisations must ensure their testing methodologies are rigorous and aligned with the latest threat intelligence, regardless of the level of testing.
• The Ever-Evolving Threat Landscape: As Dale reminds us, "Cybersecurity is a moving target". The threat landscape is constantly changing, and organisations need to instil a culture of adaptability and continuous improvement to keep pace with the constantly evolving threat landscape.
• Financial Repercussions of a Breach: Losses extend beyond immediate costs with regulatory fines on the rise. Organisations paying more than $50,000 USD in fines increased by 22.7% in 2024, and those paying more than $100,000 USD rose 19.5%, according to the IBM report. This adds another layer of complexity and financial burden to the challenges of managing cyber risk.

By addressing these challenges head-on and implementing the best practices detailed later in this blog, organisations can position themselves for success in the new regulatory landscape. However, two specific areas warrant further exploration: the complexities of third-party risk management and the ever-present threat of maintaining operational resilience in the face of evolving threats. Let's delve deeper into these critical aspects of cyber resilience in the financial sector.

The Third-Party Risk Management Conundrum

DORA recognises the interconnected nature of today's financial ecosystem, where organisations rely heavily on third-party vendors and service providers. This reliance, while often necessary for efficiency and innovation, introduces significant cybersecurity risks.

As Dale highlights during the webinar, even seemingly innocuous third-party services can become entry points for attackers. He underscores the importance of regulations like DORA that mandate stringent third-party risk management and require organisations to carefully assess and mitigate the risks associated with their suppliers. This includes conducting thorough due diligence, incorporating security requirements into contracts, and maintaining ongoing communication and monitoring.

However, implementing effective third-party risk management is easier said than done. Complex supply chains, data sharing agreements, and the inherent risks associated with external entities create a complex landscape for organisations to navigate. IBM’s report revealed that third-party involvement was one of the five biggest cost amplifiers, increasing the average cost by more than $370,000 to $4.29M.

Key considerations:

• Comprehensive Vendor Assessments: Evaluate the security practices of all third-party vendors, not just those directly involved in critical operations.
• Contractual Obligations: Include specific security requirements and incident reporting clauses in contracts with vendors.
• Ongoing Monitoring: Continuously monitor the security posture of your vendors and ensure they remain compliant with your organisation’s security standards.
• Incident Response Collaboration: Establish clear communication channels and procedures for incident response with your vendors.

While third-party risk management is a critical aspect of DORA compliance, organisations must also focus on maintaining their own operational resilience in the face of an ever-evolving threat landscape. This requires a proactive and adaptive approach to security, ensuring they can withstand and recover from attacks quickly and effectively.

Maintaining Operational Resilience in a Dynamic Threat Landscape

The dynamic nature of the cyber threat landscape is constantly evolving, with attackers becoming increasingly sophisticated and persistent. DORA's focus on operational resilience testing, including regular penetration testing and the implementation of TIBER-EU, reflects the importance of regularly challenging your defence and identifying weaknesses. As Dale emphasises, "cybersecurity is a moving target”, and organisations need to adopt a proactive and adaptive approach to security, ensuring they can withstand and recover from attacks quickly and effectively.

The ability to adapt to new threats and vulnerabilities is crucial. As Dale points out, the success of advanced persistent threats (APTs) demonstrates that attackers are patient and relentless. Organisations must be able to detect and remediate threats swiftly to minimise the impact of a breach, with a focus on building the capability to withstand and recover from attacks. The financial impact of downtime can be staggering, with some estimates reaching as high as $9,000 per minute for large organisations, according to a recent Forbes article. For higher-risk sectors like finance and healthcare, these costs eclipse $5M an hour in certain scenarios, and these figures do not include any potential fines or penalties. Beyond downtime, the broader costs of a data breach can be immense, encompassing direct expenses like forensic investigations and legal fees, as well as indirect costs like customer churn and reputational damage.

The rise of cryptocurrency-related crimes is predicted to cost the world $30B USD in 2025, according to Cybersecurity Ventures, and the 2023 Data Breach Investigations Report by Verizon, indicates the finance industry was among the top targeted sectors, experiencing a significant number of breaches. These stark numbers only emphasize the importance of making operational resilience not just a security concern, but a financial imperative.

Operational resilience requires a combination of technical controls, robust incident response plans, and a culture of continuous improvement.

Key considerations include:

• Continuous Monitoring and Threat Intelligence: Implement real-time monitoring and leverage threat intelligence to proactively detect and respond to emerging threats and vulnerabilities. Stay informed about the latest attack techniques and tactics used by adversaries.
• Robust Backup and Recovery Strategies: Establish comprehensive backup and recovery procedures to ensure business continuity in the event of a cyberattack or other disruption. Regularly test these procedures to verify their effectiveness.
• Tabletop Exercises and Drills: Conduct regular tabletop exercises and drills to simulate cyber incidents and test your organisations incident response capabilities. This will help identify gaps and improve your ability to respond effectively under pressure.
• Red Team Exercises: Consider implementing TIBER-EU-inspired red team exercises to assess your organisations resilience against sophisticated, targeted attacks.
• Cybersecurity Awareness and Training: Extend cybersecurity training beyond the IT department to include all employees. Instil a culture of security awareness across the organisation, ensuring everyone understands their role in protecting critical assets.
• Technology and Automation: Leverage advanced security technologies and automation to enhance threat detection, response, and recovery capabilities. Stay abreast of the latest innovations and evaluate their potential to strengthen your cyber resilience.

These two areas, third-party risk management and maintaining operational resilience, particularly through rigorous testing such as TIBER-EU, are critical components of a successful DORA implementation strategy.

Now, let's explore some best practices for navigating these challenges and achieving cyber resilience in the financial sector.

Best Practices for Success

While the challenges of implementing DORA and TIBER-EU are significant, the potential benefits to an organisation’s overall security posture are undeniable. To navigate these challenges and successfully implement DORA and TIBER-EU, consider the following best practices:

• Adopt a Risk-Based Approach: Prioritise security measures based on the most significant risks to your organisation. Conduct thorough risk assessments to identify vulnerabilities and allocate resources accordingly.
• Invest in Staff Training and Awareness: Empower your employees to become your first line of defence. Provide comprehensive and ongoing cybersecurity training to raise awareness and reduce the risk of human error.
• Consistent Use of Multi-Factor Authentication (MFA): Mandate MFA across your organisation. This simple yet effective measure significantly enhances protection against unauthorised access.
• Plan for the Inevitable: Develop and regularly test incident response plans to ensure your organisation is prepared to respond swiftly and effectively to cyberattacks.
• Conduct Thorough Third-Party Risk Assessments: Don't overlook the risks associated with your supply chain. Evaluate the security practices of your vendors and incorporate security requirements into contracts.
• Engage in Advanced Penetration Testing: Regularly test your defences with advanced penetration testing that simulates real-world attacks. Consider partnering with external experts to gain fresh perspectives and insights.
• Embrace a Culture of Continuous Improvement: Cybersecurity is not a one-time project; it's an ongoing journey. Continuously monitor your security posture, adapt to evolving threats, and invest in the skills and knowledge of your cybersecurity team.

Don't wait until the last minute to scramble for compliance. Take the time to understand the requirements, assess your organisations current capabilities, and develop a strategic plan for implementation. By taking proactive steps today, you can ensure that your organisation is prepared to meet the challenges of the evolving cyber threat landscape and safeguard its critical assets.

Charting the Road Ahead

DORA and TIBER-EU are transforming the cybersecurity landscape for the financial sector. These regulations are driving a shift towards proactive resilience and preparedness, forcing organisations to confront the reality of cyber threats and take concrete steps to protect themselves. By understanding the requirements of these frameworks, embracing best practices, and addressing implementation challenges head-on, financial institutions can strengthen their defences and navigate the new frontiers of cybersecurity with confidence.

The clock is ticking. The deadline for DORA compliance is January 2025. Now is the time to take action and ensure your organisation is prepared to meet the challenges ahead.

• The critical shortage of skilled cybersecurity professionals, reported by 53% of organisations, directly contributes to higher breach costs. Investing in training and certification programs, such as those offered by SANS, is essential for bridging this skills gap and bolstering your organisations cyber resilience.

Remember, as Dale emphasises, cyber resilience is an ongoing journey, not a destination. By continuously assessing your risks, enhancing your security measures, and learning from the experiences of others, you can protect your organisation and its critical assets from the threats of tomorrow.

Explore SANS’s DORA Resource Hub today for actionable insights and expert guidance on navigating DORA and TIBER-EU. Equip your organization with the tools and strategies needed to achieve cyber resilience and stay ahead of evolving threats in the financial sector.