DORA Readiness and the Path to Digital Operational Resilience Testing

I still remember my first banking experience. It was circa 1980, having just been paid cash for a job, I walked into a bank and opened my first bank account. I handed over my hard-earned cash to the bank teller and the teller handed me back a bank book with a handwritten transaction as a record of my deposit. 

Fast forward 45 years…and boy how things have changed!  

Sitting here today, I cannot even remember the last time I had cash in my wallet, yet I still manage to purchase and pay for things every day. 

The Digital Age has totally transformed the banking and financial services industry in such a profound way that my entire world stops if the systems and technologies enabling financial transactions comes to a halt. I do not carry cash these days, so I do not have a backup plan to pay for things. 

I think the European Parliament and the council of the European Union can sympathize with me (and millions like me) with the introduction of the Digital Operational Resilience Act (DORA) for the financial sector. 

The DORA regulations aim to ensure that the banking and financial systems that keep our economies running in key sectors, and the Information and Communication Technologies (ICT) that underly them, are resilient to the risks facing the financial sector.

What is DORA and how Cymulate can help

At a high level, we can roughly breakdown those risks to ICT systems into the following areas: 

• Cyber Attacks: 60% 
• Software Issues: 20% 
• Third-party Party Risk: 15%  
• Power / Hardware Failure: 5% 

And, while the exact percentage of risk may vary depending on the specific financial institution and the third-party entities they work with, cyber attacks are by far the biggest area of risk for the disruption of financial services and the driving force behind the introduction of the DORA act in this digital financial world. 

Here at Cymulate, we are putting the DORT in DORA to help financial institutions and the third-parties that service them meet these latest EU regulations. Cymulate enables Digital Operational Resiliency Testing (DORT) to help prevent cyber attacks in a way that embodies the true spirit of the DORA act to protect financial institutions from wave after wave of cyber threats. 

Where the Rubber Hits the Road 

While the chapters of the DORA regulations cover a lot of ground in terms of governance structures, competent authorities, management processes, and risk frameworks, it is the actual act of testing and validating ICT systems and security controls where the rubber truly hits the road.  

Financial institutions across the globe invest heavily in ICT systems and technologies to protect the mission critical financial applications and services that the world revolves around.  

But how do you know that these security controls and technologies are operating as intended and can stop a cyber attack from disrupting financial operations? How do you know that the controls are resilient to the latest cyber threats? 

Well, you could just place your faith in the security controls and trust that they do what they say on the box, then wait for an attack to occur to find out just how good those controls are working. However, this approach goes against everything that DORA stands for. 

OR preferably, you could test and validate your security controls (frequently) and those of your third-party providers, against the latest emergent threats to identify weaknesses, deficiencies, and gaps in cybersecurity that need to be prioritized and remediated based on their risk and exposure level.  

This is exactly what the DORA act was designed to do and exactly what the Cymulate platform delivers. 

Digital Operational Resilience Testing (DORT) 

As discussed earlier, the most critical area of risk for ICT solutions is cyber attacks. Today we see a constant wave of cyber attacks targeting the finance sector where threat actors seek to disrupt financial operations, exfiltrate sensitive information, and hold systems for ransom. These attacks represent the highest risk exposure for a financial institution and their service providers, and the reason they invest heavily in technologies that prevent, detect, and stop such attacks. 

Organizations invest in security controls to stop cyber attacks before they become a cyber breach. These controls include:  

• Secure Email Gateways (SEG) 
• Secure Web Gateways (SWG) 
• Endpoint Antivirus Solutions (AV) 
• Endpoint Detection & Response Solutions (EDR) 
• Endpoint Protection Platforms (EPP) 
• Cloud Security Solutions (CWPP, CNAPP, CSPM) 
• Data Loss Prevention (DLP) 
• Identity & Access Management (IAM) 
• Multi Factor Authentication (MFA) 
• Security Information & Event Management (SIEM) 

When these controls are optimized based on the cyber risks facing an organization, that organization is more resilient to cyber attacks. But the cyber threat landscape is constantly evolving and therefore the controls require continuous validation and optimization to remain effective. Optimization means configuring and fine-tuning the controls to prevent and detect the latest emergent threat activity. This is what the Cymulate platform is known for – breach and attack simulations that test and validate security controls and processes against the latest emergent threats. 

The Cymulate platform delivers automated test execution which enables weekly testing and validation of critical security controls against the latest threat actor activity targeting financial institutions and their third-party service providers. This solution meets the requirements of DORA Chapter 4 – Digital Operational Resilience Testing head on to address the number one risk to financial institutions – cyber attacks. 

Cymulate breach and attack simulations deliver threat-led assessments of critical security controls using the latest immediate threats identified by the Cymulate Threat Research team and informed by the broader cybersecurity community at large. These emergent threats are loaded to the Cymulate platform every day, within 24 hours of new CVEs being released.  

The assessments are enabled with thousands of fully automated test executions that validate security controls using different attack types and techniques across the MITRE ATT&CK and/or NIST frameworks, to thoroughly test each control and find the gaps and weaknesses that threat actors could exploit. And while the DORA regulation requires tests to be run at least yearly, the critical role of these security controls to stop a cyber breach means that we recommend you test and validate security controls weekly, going above and beyond the requirements of DORA. When you consider the pace that threat actors operate with new emergent threats being released daily, and changes to the IT environment occurring frequently, testing and validating security controls on a weekly basis is considered a best practice by Cymulate. 

The output of these assessments provides detailed findings and reports for each security control with deep insight into: 

• Risk Scores to measure the efficacy of security controls and provide a basis for continuous improvement.   
• Exposure Levels to monitor resiliency and achieve an acceptable level of risk. 
• Penetration Ratios to highlight malicious activities not stopped by key controls.  
• Ratios by Attack Types to prioritize critical areas of weakness. 
• Mitigation Guidance to help optimize controls, enhance policies, and strengthen resilience. 
• Detection & Prevention Rules to further increase resilience of key security controls. 

Proof of your Commitment to Continuous Improvement 

While the Cymulate platform may not validate that a feature release for a financial business system is free of software issues or check for redundancy when a piece of hardware fails, it does provide the proof and evidence you need for DORA compliance against the biggest area of risk to financial organizations – cyber attacks. 

And by adopting this platform in response to the DORA mandate, you are demonstrating a commitment to continuous improvement of your cybersecurity defenses through an offensive, threat-led mindset by testing critical security controls and responses on a frequent basis. 

In doing so, you are telling the world (and the DORA regulators) that “we take digital operational resiliency seriously and are proactive in protecting and safeguarding your sensitive information and the financial systems that people rely on every day.” 

With the Cymulate platform you can: 

• Assess preparedness for handling ICT-related incidents from cyber attacks. 
• Identify weaknesses, deficiencies and gaps in ICT security controls to improve your digital operational resilience. 
• Implement corrective measures to close those gaps using mitigation guidance from Cymulate. 
• Maintain and review a sound and comprehensive digital operational resilience testing programme for your organization and for any third parties providing services. 
• Use a comprehensive range of assessments, test executions, and attack tactics and techniques to validate security controls in a production-safe environment. 
• Leverage a risk-based approach based on the latest threat exposures in the evolving landscape of ICT risk. 

Digital operational resilience testing can be delivered quickly and simply by an independent internal party using Cymulate best practice assessments for ICT security controls. The output of these assessments provides the proof and attestation that the tests were performed in accordance with the DORA requirements as evidenced by the reports generated from the Cymulate platform. 

Cymulate puts the DORT in DORA and puts you well ahead of the game when it comes to achieving the DORA mandate by January 17, 2025. 

For more information on how Cymulate can help you meet DORA compliance download our solution brief and schedule a demo of the Cymulate Exposure & Security Validation platform.