Banks and insurance companies exist in a world of audits, risk mitigation and compliance requirements designed to assure their financial solvency. As of Friday, those industries will face greater regulatory scrutiny of their IT systems if they conduct business in the European Union.
The EU’s Digital Operational Resilience Act went into force in January 2023. The act gave impacted companies a two-year window to put their IT house in order and bring their technology and communication infrastructure up to standards through regular security and resilience testing.
“The intention of DORA is to prevent IT outages — particularly long-term outages — to protect the consumer,” John Crossno, director of product management at Rocket Software, told CIO Dive. “Whether the outage is cyber-related or not is irrelevant. You’ve got to be able to get your systems back up and running quickly.”
Small IT outages are common and costly. Software provider Splunk found impacted organizations lose an average of $200 million per year from digital system shutdowns. Regulatory fines for a typical incident can surpass $20 million, according to Splunk.
Even in the absence of ransomware scenarios and subsequent regulatory action, service interruptions pull IT staff away from other work, slow business processes and can damage brand reputation.
Global crises, like the CrowdStrike incident that grounded thousands of commercial flights for days and disrupted financial transactions in July 2024, can cost billions. Delta Air Lines reported $500 million in losses from the incident.
Business executives anticipate another CrowdStrike-level crisis to impact IT systems in the next year, according to a December PagerDuty report.
The business continuity standards laid out in the EU's DORA require banks, insurers, securities exchanges, trading venues and other financial services providers to maintain backup systems for swift incident recovery. The EU expects impacted parties to be able to restore critical functions within two hours of an outage incident, per DORA.
PwC estimates that more than 22,200 financial entities and IT service providers fall under the purview of the act.
The provisions and potential consequences should be on the CIO radar at companies located in or doing business with EU member countries.
“The first concern for a CIO should be to determine whether their organization is impacted and how compliance has been delegated,” Crossno said.
Most larger organizations subject to the act have risk management teams that have already embedded DORA compliance into corporate policy and tasked CISOs to stand up defensive measures. When critical systems go down, CIOs are also on the hot seat.
“You need to have proper backups or snapshots of your environments,” Crossno said. In addition to being mandated by the act, recovery systems are the key to reducing downtime and limiting the cost of an incident.
Recovery protocols are equally crucial, as backup systems are only useful if there are effective procedures in place.
“You’d be surprised how many companies make backups but don’t test the recovery process,” said Crossno.
Indeed, most companies vastly overestimate their business continuity capabilities, according to a Cohesity report published last year. Backup and recovery solutions can create the illusion of preparedness that critical incidents quickly dispel.
“Backup products produce audit reports that say you’ve backed this stuff up so you can prove to an auditor that you're compliant,” said Crossno. “But if nobody ever audits or looks at your recovery ability, then you don’t really know.”
At a bare minimum, CIOs should be in the loop on compliance decisions to ensure processes are in place for recovering backups, performing regular penetration tests and malware scans, and reviewing access controls to critical systems, Rocket recommends.
While the window for achieving compliance closes on Jan. 17, CIOs still have time to beef up IT resilience measures.
“It's sort of like speeding,” Crossno said. “You can go over the speed limit quite a bit, and you're OK until you get pulled over. If nothing happens, nobody knows. But if there’s an incident and you’re out of compliance, that’s when the fines come, along with reputational issues and cost of remediation.”
