Enhancing DORA compliance with Identity and access management (IAM) .

Introduction

The role of Information technology as a business enabler cannot be overstated. In the last five decades, the world has progressed expeditiously through the process of initially digitizing information previously stored on papers and now to the present trend of digital transformation. This change in thinking in the way information is processed is borne out of the need for businesses to seamlessly interact with vendors, partners, customers, clients, and every entity in the business value chain to be economically viable and competitive.

One sector that has benefited massively from digital transformation in recent years is the financial industry. The need to be physically present to make financial transactions has now become less attractive since the digitalization of the financial market space. While these innovative transformational changes to financial business models enabled by digital technology have benefitted the industry in no small measure with increased productivity and operational efficiency, significant downsides mostly in the form of cybersecurity challenges arise with the digitalization of financial business processes.

For several consecutive years, the financial industry has been on the list of most targeted industry by cyber criminals. The primary reason for the financial industry being a prime target for cyber criminals is because of the enormous amount of money and sensitive data that financial institutions oversee. Despite the efforts in place to curb this menace, there still exists a huge monetary loss to breaches. The world economic forum in 2018 indicates that financial crime is a trillion-dollar industry. According to McKinsey & Company report, a siloed approach to interconnected financial risk is evident in the way financial institutions manage cyber risk.  

Considering this growing cyber risk on financial operations, the European commission has responded by creating a regulatory standard to strengthen information communication technology (ICT) resilience in the financial services industry. This regulation is named Digital Operational Resilience Act (DORA). The purpose of this act is to ensure financial market players (including third party digital service providers) providing financial service to EU customers and operating within and outside the EU have in place an ICT that can adapt and respond to disruptions or unforeseen events without interruption to delivery of products and services to their customers. The regulation came into force in January 2023 and there is a window period of 2 years for implementation. Financial institutions must be compliant with the DORA regulation by January 2025.

Getting compliant is a responsibility since the DORA act has binding legal force. In view of these requirements, financial industry players are expected to make significant effort and investment especially around areas of governance, risk and compliance solutions targeting ICT infrastructure. Based on experience, it is strongly believed that Identity and access management (IAM) – a framework that encompass tools, processes, policies, and technologies designed to make certain that only authorized entities have approved access to business assets can help organizations comply with DORA.  

Understanding the context of DORA

DORA is a sector specific regulation. It is intended to create a comprehensive approach to managing cyber security risk as well as operational resilience of the financial sector. This is expected to better align the business strategies of financial organizations and how they perform ICT risk management.  

The Digital Operational Resilience Act (DORA) is made up of five core areas of focus. These are:

1. ICT risk management

Financial institutions are expected to have in place an effective IT risk management framework that allows them to successfully manage and mitigate ICT risk that can negatively affect operational resilience. Measures such as internal controls and disaster recovery plans are expected to be implemented and monitored continuously.

2. ICT-based incident reporting

The Act directs that financial institutions and third-party digital service providers must put in place robust processes that can monitor, respond, restore, report, and prevent a recurrence of service interruption and any other ICT-related incidents. The approach to incident management must shift from reactive to proactive and all root causes of incidents must be identified and eradicated to enhance operational resilience. Major ICT-related incidents are also expected to be promptly reported to regulatory body within the allowed time limit.

3. ICT third-party risk management

Financial institutions majorly use third-party providers for ICT services and this dependency raises the risk profile as evident in supply chain attacks. DORA mandates financial institutions to effectively monitor and manage third-party risk all through the contract lifecycle. Financial entities are ultimately responsible for ICT linked risk management in the outsourcing arrangement.  

4. Digital operational resilience testing (DORT)

Financial institutions are now mandated by DORA to conduct operational resilience testing to validate their capacity to combat as well as recover from ICT-related security incidents. Specifically, penetration testing stemming from the peculiar threats they are exposed to is to be conducted and corrective actions to address the detected vulnerabilities need to be implemented.

5. Information and intelligence sharing

DORA regulation identifies the need for awareness among the community of financial entities. To improve operational resilience across the entire financial industry, the Act allows and supports the sharing of cyber threat related intelligence. The exchange of information is non-mandatory but highly encouraged.   

Applying IAM framework to Strengthen Dora compliance

Financial institutions can demonstrate their compliance to DORA by adopting IAM framework. Financial entities have strong collaboration with business partners, clients, vendors, and other third-party agents. Implementing a reliable Identity and access management solution can help secure digital identities, address ICT risk, and prevent operational disruption. Emphatically IAM can be applied to achieve DORA’s operational resilience compliance in the following ways:

• IAM can assist organizations to strengthen their ICT governance and risk management framework which is one of the mandates of DORA. This is possible as IAM provides visibility and control over access to resources within and outside the organization. Verizon 2022 data breach report revealed that 27% of data breaches within the financial industry are linked to insider activity. Inadequate management oversight and poor audit trail increases risk. IAM’s authentication and authorization capabilities alongside automated provisioning for managing user access and privileges as well as risk-based adaptive access controls (RadAC) when implemented correctly can enhance the required level of enterprise risk management needed for DORA’s compliance.
• Financial entities regularly collaborate with third parties, and this introduces risk as the ICT infrastructure is accessible to others. DORA instructs that cross-organizational contractual agreements must be controlled and monitored for operational resilience. IAM can provide third-party access governance of digital service providers. Third party user accounts are properly onboarded and effectively managed throughout the entire contract lifecycle. Some of the key IAM capabilities that can monitor and manage supply chain security challenges include federated identity (same digital identity used by multiple organizations to access networks), Phishing-resistant multifunction authentication (MFA), and passwordless authentication.
• Incident reporting is one of the pillars of DORA. IAM can support organizations compliance, thanks to the monitoring and reporting capabilities in IAM solutions. The IAM logs keep track of user access activities, and this can enhance ICT incident management as organizations can promptly detect and respond to security incidents which will improve operational resilience.  
• IAM user access reviews and recertification of access rights are continuous auditing/assessment processes in IAM framework for protecting organizations against security breaches and significantly improving the IT risk profile. These IAM functions can help demonstrate compliance to DORA’s requirement of operational resilience testing.  

Conclusion

As financial institutions transition through the implementation phase towards DORA compliance, a robust cyber risk and governance architecture beyond the traditional “box-ticking” compliance practice needs to be in place. Deployment and maintenance of an IAM solution which provides visibility into how identities gain access to business resources from within and outside the enterprise network is a bold step towards achieving and demonstrating compliance to ICT operational resilience.

Author:
Taiwo Bamigbala, IAM Consultant at Epical