How Gen-AI Helps Understand DORA and CrowdStrike
The financial services industry faces serious challenges with data consolidation, process scalability, and reliance on manual methods for vulnerability management. The Digital Operational Resilience Act (DORA) requires financial entities operating in the European Union (EU) to comply with new regulations starting January 17, 2025.
The Primary Data Issues
The attack surface of enterprises has diversified, requiring specific tools for securing code, cloud, and the ‘internet of things’, leading to challenges in consolidating vulnerability data.
Companies face challenges in scaling alongside the expanding attack surface, necessitating the empowerment of stakeholders and process optimization.
The industry struggles with a lack of consolidated vulnerability information, manual processes, and reliance on basic security practices.
There are issues with the timely mitigation of vulnerabilities due to a lack of trustworthy vulnerability information and reliance on manual tracking methods like spreadsheets.
Strategies to address these challenges include prioritizing top vulnerabilities, leveraging threat intelligence, and focusing on risks unique to the business.
Here are the ten things that you need to know about DORA:
- ICT Risk Management Framework:
- Banks must implement a comprehensive ICT risk management framework in their overall risk management system.
- This framework should include policies, procedures, and tools for managing ICT risks.
- Business Continuity:
- Banks need to develop and maintain an ICT business continuity policy.
- They must test their business continuity plans at least once a year or after any major changes.
- Tests should verify the ability to sustain operations until critical functions are restored.
- Incident Response and Recovery:
- Banks must implement ICT response and recovery plans.
- These plans should be tested regularly.
- Data Management and Reporting:
- Banks are required to maintain a register of information on all contractual arrangements for ICT services provided by third-party service providers.
- This register must be in a searchable electronic format.
- The register should include detailed information on contracts, service providers, and the nature of services provided.
- Banks must adhere to data quality principles (accuracy, completeness, consistency, integrity, uniqueness, and validity) in the register.
- Third-Party Risk Management:
- Banks must adopt and regularly review a strategy for ICT third-party risk.
- This strategy should include a policy on the use of ICT services to support critical or important functions provided by third-party service providers.
- Banks must perform risk assessments and due diligence before entering into contractual arrangements with ICT third-party service providers.
- Analytical Requirements:
- Banks must conduct a Business Impact Analysis (BIA) to identify critical or important functions.
- They need to analyze and document test results of business continuity plans and address any identified deficiencies.
- Reporting:
- Banks must prepare a report reviewing their ICT risk management framework and submit it to competent authorities upon request.
- This report should be in a searchable electronic format.
- Access Control:
- Banks need to implement access management and control policies.
- Proportionality:
- The implementation of these requirements should be proportionate to the bank’s size, complexity, and overall risk profile.
These requirements emphasize the need for robust data management practices, analytical capabilities for risk assessment, and comprehensive reporting mechanisms. To comply with these new regulations, banks will need to significantly enhance their data collection, analysis, and reporting capabilities.
Banks must implement measures to protect the confidentiality, integrity, and availability of ICT assets, data, and information.
Are you ready? Microsoft (and CrowdStrike) evidently needs improvement. It can happen to anyone. Don’t wait.
Do you recognise these business problems?
- Have all your information in a spreadsheet(s) or antiquated systems, and/or,
- Your third-party systems have logic and the decisions that are sequential or not entirely understandable
We have the ability to showcase moving from spreadsheets with tools that you understand, and, with decision-making recommendations based on your business workflow. Sign up here to learn more.
About AI infin8
Infin8 offers an innovation lab concept. We provide a ‘fail-fast, fast’ approach. Capabilities are typically presented in 2 – 8 weeks. We offer decades of experience in financial services and solely focus on financial services disruption with AI.
About TextQL
TextQL elevates finance and financial services by providing robust solutions for banks, investment firms, and insurance companies. Our platform leverages AI and data analytics to enhance risk assessment, fraud detection, and customer experience. TextQL aids in optimizing portfolio management, streamlining regulatory compliance, and offering personalized financial advice.
By integrating real-time insights and predictive analytics, financial institutions can make informed decisions, improve operational efficiency, and drive growth. TextQL is committed to advancing the financial sector, enabling businesses to confidently navigate market complexities and deliver superior value to their clients.