As international technology giants deliver the latest in cloud, data analytics, and customer experience capabilities to European financial services firms, the systems are not always meeting Europe’s strict data protection and cyber security requirements. Meanwhile, threat actors are taking advantage of vulnerabilities and poorly managed identities, with the goal of disrupting a company’s operations, stealing money or data, or even holding the company to ransom. These attacks not only impact the business, but its customers, stakeholders, and the broader financial market.
Identity-based cyberattacks that focus primarily on compromised user credentials to access systems and data are a common method used by cyber criminals, as they know that identities are the best way to gain control over the IT environment. A recent study found that across 2021-22, 78 per cent of enterprises cited that identity-based breaches had a direct impact on business operations.
In response to these new risks, the European Commission (EC) has set out to increase Information Communications Technology (ICT) resilience standards in the financial services sector. It has released the new EU regulation – the Digital Operational Resilience Act (Regulation (EU) 2022/2554) (DORA). While DORA is designed for EU businesses, UK, and other international businesses with operations in the EU will benefit from aligning with the requirements.
We believe that a core concept to meet the expectations set out in DORA is to have robust Identity Access Management (IAM) – a framework of processes, policies, and technologies. In our experience, there are some key areas of how IAM can meet the scope of DORA, while helping protect the business, customers, and the market.