Image: © Deenanath/Stock.adobe.com
The team at William Fry take a closer look at upcoming cybersecurity regulations and what they mean for the financial sector.
Cyberattacks continue to cause problems for companies in every sector, from tech companies to critical infrastructure.
If personal data is affected by a cyberattack, companies must notify the relevant data protection authority and inform those affected under GPDR and these obligations are widening further under the NIS2 Directive and the Digital Operational Resilience Act (DORA).
So, what does all this mean for the financial sector, which holds significantly valuable personal data and has a reputation for lagging behind when it comes to technical adoption?
Claire O’Connor, a senior associate in the technology department of William Fry, says the evolution of cybersecurity laws has forced the financial sector to significantly enhance its capabilities in this space.
“The Central Bank of Ireland published a guidance paper in 2016 outlining its expectations on IT and cybersecurity governance, focusing on risk management and resource allocation. The GDPR has been in effect since 2018 and imposes strict data protection requirements for personal data,” she said.
“DORA will come into effect on 17 January 2025 and further mandates that financial entities in scope implement comprehensive ICT risk management standards, ensuring preparedness against cyberthreats.”
Despite these advancements, O’Connor said challenges remain, especially with the continuous need to adapt and the ongoing training and awareness needed.
“Overall, while Ireland’s financial sector’s ability to handle cybersecurity threats is improving through improved systems and procedures as well as these legal and regulatory obligations, ongoing vigilance is essential to sustain resilience in a constantly changing landscape,” she said.
“In our experience, organisations are finding it increasingly difficult to hire individuals with the skillsets they need in terms of IT and cybersecurity.”
The impact of DORA
With DORA coming into effect in January 2025, the financial services sector must raise their standards significantly. Conor Forde, an associate at William Fry, said the current third-party framework consists mainly of regulatory guidelines from the Central Bank of Ireland and the European supervisory authorities.
“While non-compliance with such guidelines would cause difficulty in ensuring resilience and mitigating outsourcing risks, such guidelines are not generally mandatory law,” he said.
This differs from DORA, which is a sector-specific legislation that covers a wide range of financial entities and mandates that they implement robust ICT risk management frameworks.
“The DORA regulation also introduces strict incident reporting obligations, compelling financial entities to report significant ICT-related incidents to national authorities, which fosters greater transparency and quicker regulatory responses,” said Forde. “By aligning with existing regulations like the GDPR and the NIS2 Directive, DORA creates a cohesive framework for cybersecurity across the financial sector.”
For financial entities and third-party ICT service providers, this means putting in place comprehensive contractual arrangements that align with DORA’s requirements, including service level agreements, requirements around subcontracting, security standards, audit and incident reporting protocols.
“This complexity can be particularly daunting for smaller providers, who may lack the financial and human resources to facilitate these requirements,” said John O’Connor, a partner at William Fry. “It is therefore essential for financial entities to engage with their third-party ICT service providers without delay ahead of the 17 January 2025 deadline.”
Forde added that while some of DORA’s requirements may be familiar to financial entities that have had to comply with regulations such as the Central Bank of Ireland cross-industry guidance on outsourcing, and the European Banking Authority guidelines on outsourcing arrangements, it goes much further in its contractual provisions.
“Notably, DORA also introduces the requirement to include mandatory contractual provisions for ICT services which do not support critical or important functions, which is a novel aspect of the regulation,” said Forde.
“DORA enhances existing standards by mandating a more structured approach to third-party risk management.”
O’Connor said that DORA provides a comprehensive framework for managing third-party ICT risks in the financial sector.
“By focusing on third-party risk management, DORA not only protects individual institutions but also enhances the stability of the entire financial ecosystem,” he said.
“This holistic approach represents a significant evolution in regulatory expectations, compelling financial entities to prioritise operational resilience and cybersecurity in their dealings with third-party services, ultimately seeking to enable a more secure financial services environment.”
Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.
