Third-party risk - more security or just more bureaucracy?

Third-party risk. This seemingly unwieldy term from the EU vocabulary is once again highly topical. A security software manufacturer recently caused the most significant IT outage in history. It was caused by a programming error in an automatic update. Presumably, many IT teams relied on an error-free update and did not test it themselves - not a good idea, as there is a third-party risk. 

The Digital Operational Resilience Act (DORA), which will come into force at that time, obliges them to consider third-party risks, among other things. Other provisions of DORA include the introduction of IT risk management, a reporting obligation, and the obligation to carry out regular security tests. This is intended to increase cyber security in the financial sector.

But don't we have similar measures in NIS-2? And shouldn't companies be certified to ISO/IEC 27001 anyway? So, is DORA just bureaucratic overkill?

The question is understandable, as the three standards are committed to strengthening ICT security. Separating the various topics is helpful.

ISO/IEC 27001, NIS-2 and DORA: similarities and differences. 

Firstly, ISO/IEC 27001: The recognized standard for information security management systems (ISMS) offers a systematic approach to the management of IT security. This includes risk management, compliance, asset protection, efficient processes, and continuous improvement. The ISO standard, which was initially voluntary, has become mandatory due to market developments. Companies use certification to ISO/IEC 27001 as a sign of trust and proof of their efforts in the area of information security. It is hard to imagine business without it; a lack of certification is often a knock-out criterion. "In Europe," continues Säckel, "this is also because the cyber security directive NIS-2 (Network and Information Security Directive 2) implicitly requires certification in accordance with ISO/IEC 27001." 

This is because NIS-2 defines companies that belong to the critical infrastructure and for which exceptionally high cybersecurity standards apply. The companies concerned must implement technical and organizational measures for cyber security and secure networks and systems according to state-of-the-art standards. This includes introducing a corresponding management system and, as a central point, a reporting obligation. Companies must notify the authorities in their country of significant incidents within a short period and are bound by short deadlines. Depending on the type of organization and nature of the incident, the initial notification must be made within 24 hours or even immediately. "Management systems, reporting obligations, state-of-the-art —all of this is also found in DORA", comments Säckel. 

However, the EU Security Act is dedicated exclusively to the financial sector and introduces additional regulations that go beyond NIS-2. At its core, it is about ensuring that financial institutions and their Tier 1 service providers can withstand and quickly recover from cyberattacks and business disruptions. To demonstrate this, companies are required, for example, to regularly review their security, for instance, through cyber crisis exercises. In addition, DORA is aware of the intervention of the supervisory authorities concerning third-party risk: IT service providers operating in the financial sector can be inspected directly by the supervisory authorities (including on-site). If the results are negative, the supervisory authorities can force financial companies to stop working with the service providers.

If things get serious, the German Federal Office for Information Security Technology (BSI) will come calling.

The last point highlights the special nature of DORA: it is not based solely on self-reporting or audits. Still, it is structured more like the German trade supervisory authority, which can inspect companies on-site. In Germany, the BaFin and the Bundesbank will take on this role for DORA. The IT glitch mentioned at the beginning of the article, which also had serious consequences in Germany, could be a case that brought the BSI into the picture at the affected companies in the financial sector. However, according to Säckel, "it is still unclear what such an audit would look like in concrete terms – the authorities also still have to adapt to DORA."

The new Security Act shows that many EU regulations follow an internal logic and do not serve bureaucratic self-absorption: the more critical the industry, the stricter the rules. But there is good news, he says, because "financial companies that are already ISO certified are in an excellent starting position."

They have an information security management system (ISMS) as a solid basis. DORA extends this basis to include specific requirements for improving digital resilience.

Like ISO/IEC 27001, DORA strongly emphasizes IT asset management. It requires detailed documentation and evaluation of all IT resources to determine their need for protection. This is supplemented by comprehensive risk management that identifies and assesses threats. DORA also requires external partners to meet the requirements. Therefore, financial companies will have no choice but to check their service providers and demand declarations of conformity from them.

Get better, because cybercriminals never sleep

In business practice, DORA leads to clear requirements. For example, financial companies need precautions for backup and restore. In doing so, they must implement processes that ensure the integrity and availability of the backups. It is particularly important to determine the risk of data loss, i.e., the potential damage caused by an IT failure and the time the company needs to resume normal operations. "These two metrics help to develop a disaster recovery strategy."

This is the most important component of business continuity management (BCM). In financial companies, it encompasses much more than just the recovery of IT operations. It is, therefore, important that all emergency plans within the framework of BCM are practical. They must be regularly reviewed and tested in emergency drills to ensure they work in an emergency. This also includes a test of the data backup and recovery on the IT side. Both must run smoothly, and the recovered data and systems must be functional after the backup. This, too, can only be done with practical tests. Companies should, however, "refrain from implementing DORA & Co. in a single step. The EU requirements call for a continuous improvement process."

This makes sense in the dynamic field of IT and the sometimes stormy developments in cyber security. Therefore, the PDCA cycle (Plan-Do-Check-Act) is a central component of DORA. In view of cybercrime's dynamic nature, it promotes the continuous development of security measures. The legal obligations under NIS-2 and DORA ensure that the financial sector, as part of the critical infrastructure, does everything it can to be particularly secure.