Fill out the form to stay updated on ecosystem innovation topics, activities and opportunities Cetif
More than 30,000 professionals make up the ecosystem of Cetif: we facilitate the meeting and exchange between banks, insurers and companies in an academic Center, competent and independent environment to share knowledge, experience and strategies on the most innovative drivers of change.
16 Research Hubs focused on dynamics of strategic evolution, regulatory updates, organizational and process practices, and the effects of digitization: we study innovation trends and best practices and share them with our communities.
Over 60 events including Main events (Workshop and Summit) and Community events (related to research activities) and Webinar: we bring together banks, insurance companies and businesses for shared growth on trends and challenges to outline innovative development strategies.
More than 40 Executive Education tracks, 4 Master's programs and numerous Company Specific Programs: we transfer innovative financial-oriented content with a scientific approach.
An experimental spin off combining academic research and entrepreneurial approach: we turn innovation and digitization into a concrete business advantage.
The DORA Regulation requires cultural and organizational, rather than technological, evolution. From the perspective of processes, roles and infrastructure, in fact, the new European Regulation formalizes several areas that banks have already been working on over time.
"Financial institutions have long been on a path," says Paolo Gatelli, Senior Researcher at CeTIF, "starting with the concept of business continuity as expressed, for example, by Basel II. If we look only at compliance, today banks are carrying out a gap analysis to identify those aspects in which they are not yet fully compliant and adapt to regulatory dictates."
A mere compliance perspective, however, makes one lose sight of the substantive concept behind DORA: bringing the issue of cyber resilience to the center of Board and top management strategies.
"The regulation is not so explicit," Gatelli concludes, "but in several aspects, such as in the reporting logics, the desire to elevate cybersecurity and resilience to the center of the company's governance emerges. It is not just about reviewing the organization, technologies or principals, but about connecting, even creating a common language, those who follow the technical aspects of security and those who govern the business."
Thus, not only ensuring that a bank or insurance company is able to withstand a cyber attack.
But orient them toward resilience, that is, the ability to quickly return to an adequate level of service delivery and avoid a potentially systemic crisis.
"It's no longer about managing downtime or disaster recovery," Gatelli confirms, "but ensuring that the bank continues to play its essential role to customers and society. This also means making sure that the board and top management know how to relate to these issues and, at the same time, that those who follow the more technical and technological aspects know how to tell the potential impact on the business of cyber risk."
The new systemic approach is confirmed by the cross-cutting nature of the business functions involved in DORA compliance.
IT security, compliance, and risk management, of course, but also management of suppliers, outsourcers, procurement. Because Dora also includes third parties and IT service providers in the resilience assessment.
"Again," Gatelli premised, "DORA formalizes a set of best practices already used by many financial institutions in relating to their supply chain.
However, we need to distinguish between large companies, which are already used to dealing with certain issues and sometimes already subject to Supervision, and medium and small companies that may not be equipped for indirect supervision."
The Regulator will go on to require banks to provide data and analytics on those third parties with which it has a relevant relationship. And this will result in a "natural selection" of the multitude of small ICT vendors serving the financial sector today.
"Not everyone has the capacity to meet certain requirements and to be properly compliant," Gatelli notes. Some banks have already told us about vendors who plan to back out and leave the market. The bank will also have to think about its supply chain and assess whether a vendor is jeopardizing the security of the supply chain.
If an institution, for example, purchases code from a third-party company, it becomes crucial to know who develops it, whether there are subcontractors and where they are located geographically, for both security and ethical reasons."
But while reporting activities, vulnerability assessments, training and resource certification pathways may prove to be unaffordable for small providers, banks could collaborate to jointly walk joint providers through the processes required to meet the controls imposed by DORA.
"A choice for efficiency," Gatelli continues, "but also for standardizing the oversight of the supply chain. Banks and suppliers can be mutually helpful and supportive in meeting regulatory requirements.
I think the link between financial institutions and critical suppliers will come out stronger and more transparent: not just because of regulatory obligation, but out of mutual interest."
The goal of bringing financial sector resilience within an overall ecosystem approach emerges clearly when DORA talks about infosharing.
"This is the conclusion of an important cultural evolution," Gatelli says, "because unfortunately, the idea that the cyber event is something to be hidden still resists, because it impacts the institution's reputation. And instead, information about attacks should be shared with others who may face the same threat in the future, or who may already be a target without knowing it."
With this systems approach, the experiences of others become something to learn from.
"Threats need to be analyzed and understood so that we can prevent further attacks," Gatelli explains. If one bank, for example, detected anomalies that later actually turned out to be an incident, then other banks know that they need to pay attention to those anomalies. Knowing the countermeasures applied by others can also help you react better and faster to a similar attack, responding at the earliest warning."
Adaptation to DORA, however, is not just about this cultural evolution. Rather, it is a matter of looking at the issue of which technologies to adopt with this new approach.
"We are talking about a very wide range of solutions," Gatelli concludes, "ranging from user authentication to perimeter garrisoning. In terms of architecture, the now-famous Zero Trust is of interest, that is, a combination of technologies to guard external access points in a timely manner.
In an era of smart working, many employee locations operate remotely: armoring the perimeter of the bank's systems is therefore more complex. Tools are needed to manage each access point, deciding what data and applications can be accessed, for example.
We also see a trend toward the use of technologies that do not originate in security, such as analytics and artificial intelligence, and that can be applied in this field to evolve in the current static cyber security rules and move toward new dynamic models, which detect potential threats even through weak signals, such as how a device is used or the consistency of a banking transaction with a customer's behavioral profile."