With the Digital Operational Resilience Act (DORA) becoming enforceable on January 17 2025, financial organizations have to follow a strict set of rules regarding how they prepare for and respond to incidents, especially when it comes to outages and cyberattacks.
Joe Vaccaro, Head of Internet Intelligence at Cisco ThousandEyes, has told TechRadar Pro there are three pillars to becoming digitally resilient; security, assurance and observability.
Outages in the financial sector can have serious consequences for customers and for firms, and the Financial Conduct Authority has already warned the risk of Crowdstrike-esque outages is ‘severe but plausible’ going into 2025.
Downtime is costly
Part of the DORA regulation is about setting companies up to be protected against outages. Although ransomware and cyberattacks are dominating the conversation, outages can just as often originate from unpatched systems or bugs.
“What we see many times is that outages are not malicious in intent, but they’re simply a misconfiguration at a critical point within an adjacent domain,” Vaccaro says.
Looking back at 2024, it’s hard not to remember the biggest and most costly outage, the notorious CrowdStrike incident, where the estimated damage was in the billions and millions of devices were affected, but the incident likely stemmed from a misconfiguration rather than a cyberattack.
That said, companies must offer an equally robust response to misconfiguration as they would to a cyber threat, Vaccaro says. The incident response process is largely the same, and a thorough understanding of your digital dependencies can dictate the effectiveness of a firm’s actions:
“Can you detect if you have a problem? Can you localize to where along the path the problem is? And then as part of the diagnosis, can you understand how the configuration has changed both in your own infrastructure as well as infrastructure that you rely upon so that you can then mitigate it?”
In response to an outage, speed and accuracy is key, Vaccaro says, because downtime doesn’t just mean an inconvenience, but can cost a company serious money – he gives the example of a US healthcare firm which suffered an outage before becoming a ThousandEyes customer:
“They calculated the cost of downtime to them in a real life situation was over a million dollars per minute, and they were in the face of operating in an outage that was over six hours. So when you think about the cost of implementing digital resilience versus the cost of doing nothing.”
Digital assurance
A key part of digital resilience is just understanding the software you use and where it comes from, Vaccaro says. By understanding the services, vendors, and third party software your firm uses, you can be much more confident in your incident response.
“So from a ThousandEyes lens, we’ve been helping customers now for well over a decade to be able to map these digital dependencies” he says.
“And we think of ourselves in many ways like the Google Maps of the internet. How do you have the ability to understand from where you are to where you’re looking to go, what are all the routes that you’re gonna be taking? What are all the digital services that you’re gonna be traversing so that we can help customers to both discover an inventory and then be able to operate through this new world.”
Evolving regulations
Whilst the DORA regulation is an EU legislation, it still applies to many non-European firms who participate in European financial markets, meaning even UK and US firms need to be up to scratch.
“I think the first thing to highlight is that, you know, we live in a highly interconnected world,” Vaccaro points out.
“You know, where I live here in the United States, I’m accessing services provided from European countries all the time. And that’s just part of the global economy that we live in.”
This could also help usher in stricter regulations in the US and across the world, as Vaccaro points out digital regulations developed in the EU and UK often pave the way for US frameworks, offering greater consumer protections and encouraging data privacy laws, like those seen with the EU’s GDPR and California’s CCPA.
“Important regulations that got their start in Europe that then now have carried over to others as we think about data sovereignty, data privacy, and others,” he notes. “And they take different forms and different names, but at the underpinning, they’re all trying to achieve similar objectives.”
“I think what’s helpful with DORA is how explicitly it calls out the need to be able to increase the resiliency within your business, and that extends beyond just your perimeter but all of the critical dependencies that you rely upon.”