Identity and Access Management: Complying with DORA

As international technology giants deliver the latest in cloud, data analytics, and customer experience capabilities to European financial services firms, the systems are not always meeting Europe’s strict data protection and cyber security requirements. Meanwhile, threat actors are taking advantage of vulnerabilities and poorly managed identities, with the goal of disrupting a company’s operations, stealing money or data, or even holding the company to ransom. These attacks not only impact the business, but its customers, stakeholders, and the broader financial market.

Identity-based cyberattacks that focus primarily on compromised user credentials to access systems and data are a common method used by cyber criminals, as they know that identities are the best way to gain control over the IT environment. A recent study found that across 2021-22, 78 per cent of enterprises cited that identity-based breaches had a direct impact on business operations.

In response to these new risks, the European Commission (EC) has set out to increase Information Communications Technology (ICT) resilience standards in the financial services sector. It has released the new EU regulation – the Digital Operational Resilience Act (Regulation (EU) 2022/2554) (DORA). While DORA is designed for EU businesses, UK, and other international businesses with operations in the EU will benefit from aligning with the requirements.

We believe that a core concept to meet the expectations set out in DORA is to have robust Identity Access Management (IAM) – a framework of processes, policies, and technologies. In our experience, there are some key areas of how IAM can meet the scope of DORA, while helping protect the business, customers, and the market.

DORA is part of the EC’s plan to support innovation in digital financial services, and to ensure customers gain from the advances available, while appropriately mitigating risks. The aim is to unify the EU regulatory landscape, heighten data security, and enhance operational resilience for financial services organisations. These are important goals, as the Centre for Strategic and International Studies expects that by 2025, damages from global cybercrimes will reach close to US$1 trillion annually.( The Hidden Costs of Cybercrime,” The Center for Strategic and International Studies. (December 9, 2020) )

DORA applies not just to banks, but to credit institutions, payments providers, insurance companies, investment firms, fund managers, pension funds, crypto-asset services, IT third-party services, crowdfunding services, and more. The regulation focuses on strengthening procedures in five areas: ICT risk management, ICT incident reporting, digital operations resilience testing, ICT third-party risk, and information intelligence sharing within the financial services sector.

To comply with DORA, financial organisations will be required to define, approve, oversee, and be accountable for the implementation of all arrangements related to DORA’s risk-management framework. This is where IAM plays a critical role.

IAM is a security discipline embedded into critical business processes to ensure that only the right people have access to the right information at the right time. IAM can be set up for employees, customers (often referred to as Customer Identity Access Management or CIAM), and for suppliers. This access management can be done at a departmental level, and importantly, at an individual role level. This means people are only able to access data and make changes to a system in ways that are crucial to their job.

Across the five areas of DORA’s scope, IAM can help in important ways. These include: 

1. ICT risk management
   DORA expects firms to adopt ICT governance and control frameworks, including an IT risk management framework that is documented and reviewed annually at a minimum. IAM assists as it brings comprehensive oversight to all levels of access to systems across an organisation. IAM supports multi-factor identification procedures before anyone can access a system, so it is clear who is accessing what information and when. IAM can also evaluate, based on specific variables such as the identities of those trying to access data, if a high-risk attempt at access is underway. If so, additional controls can be automatically triggered to reassure or block the user’s access.
   
   In another benefit for risk management, IAM helps to manage the lifecycle of an employee and their system access. For example, an employee may join a company in one role, get promoted, then leave the company. At every step, IAM can ensure that the right access is available, and importantly, closed off. This prevents ‘access creep’, or perhaps disgruntled ex-employees retaining access and using it in unlawful ways.
   
   
2. ICT-related incident reporting
   Key to DORA is the requirement for prompt logging of any ICT security incidents, as well as reporting of major incidents to appropriate authorities using common templates and procedures. IAM makes it easier to see what was done, who did it, and where it happened in the system. IAM can also help to define who has reporting obligations and to which regulatory authorities.
   
   Using strong IAM frameworks and systems can allow organisations to quickly highlight incident data on the number of users affected, the duration, the geographical spread, the extent of the disruption, and the extent of the impact on economic and societal activities. This is all critical in times of urgency following an incident.
   
   
3. ICT third-party risk management
   A challenging aspect of DORA is the need to have secure ICT systems beyond the boundaries of the initial organisation and into third-party suppliers. DORA expects monitoring of third-party contractual arrangements, and that the European Supervisory Authorities can have oversight of critical ICT third-party service providers. This is an important requirement as supply chains are increasingly bringing risk into ICT systems – for example, through outsourcing support functions and increased collaboration with industry partners. This means that countless people outside of the core business may be able to access its systems, often unnecessarily. Therefore, IAM can assist by defining access rights beyond the initial organisation, reaching into suppliers and partners that provide critical services.
   
   Enhancing access and identity visibility of third, fourth-party and nth party suppliers is critical in today's software and data-centric world. The interconnected nature of supply chains is core to many financial services organisations, and this often leaves them even more exposed to attacks and vulnerabilities. The most mature organisations use IAM controls to remain constantly alert for potential supply chain issues and the security challenges third-party services can bring to their organisations.
   
   
4. Information sharing
   DORA encourages voluntary sharing of cyber threat information with other financial organisations, with the aim of building greater resilience across the whole industry. This information could include threat tactics, techniques, and indicators of compromise. When the potential for a threat is shared, IAM can be quickly leveraged to securely help reduce the threat. Additionally, protecting this critical information through strong role-based access controls is critical to keeping sensitive threat or compromise information protected.
   
   IAM systems can continuously monitor data, identities, and permissions, providing visibility into what sensitive information has been intentionally or unintentionally shared. Some organisations have enabled automatic alerts on abnormal behaviours outside of an ‘identity perimeter’. Therefore, robust IAM processes can provide a better understanding of where information has been shared and can improve risk management.
   
   
5. Digital operational resilience testing
   DORA expects organisations to perform annual resilience tests, alongside advanced threat-led penetration tests, at least every 3 years. Therefore, whilst organisations perform penetration and disaster recovery testing, IAM can help identify and support remediation activities relating to toxic combinations of access or overprivileged accounts.
   
   Conversely, the testing of IAM systems themselves is also key to ensuring that the processes and controls are performing as they should. This includes checking if administration procedures are in place and functioning. It requires validating if application access provisioning requirements are met, how application terminations are being processed, if user access reviews are being performed regularly, and if application profiles and permissions are correct.
   

As organisations increasingly use Software-as-a-Service and move workloads and infrastructure to the cloud, the IT estate and identity landscape becomes highly complex. To comply with DORA and other modern privacy regulations, businesses need complete visibility into how and where human and machine identities access protected data. Thanks to DORA, ICT resilience is firmly on the agenda of EU financial services organisations, and IAM is a core discipline to support compliance.

At KPMG, our professionals are here to help with both understanding the new requirements of DORA, and how to implement IAM to meet the requirements. We can help build an IAM strategy and operating model development, identity analytics, identity lifecycle management, access governance, and more. Most importantly, we help instil ICT resilience to support the business, customers, and the financial market.