New EU rules aim to protect your money from cyber threats

BRUSSELS ―You wake up in the morning to the news that your bank has been hacked. It’s failing. What do you do? 
Like most of the bank’s other customers, you rush to withdraw your savings and look for somewhere safe to put them — only to find that multiple other banks are in the same situation. 
Across the world, the pattern is repeating. The services of multiple payment companies are down, meaning you can’t make transactions with your card or app. Investment firms are seeing their clients pull their funds out at the same rapid pace. Parts of global trading desks go dark as entire sections of financial markets go offline. The losses for most big firms are in the billions.
According to experts, a scenario as disastrous as this is ever more likely as the financial world intertwines with technology and hackers become more sophisticated.
The world got a small preview of the potential disaster to come when cybersecurity firm Crowdstrike rolled out a flawed software update this July, sparking a global technology meltdown that knocked out airlines, media, and some financial services. The blunder impacted around 25 percent of Fortune 500 companies, costing them an estimated $5.4 billion in losses.
Now Brussels is trying to make sure a repeat of the above, or worse, never comes about with new rules that aim to force finance firms to know more about their technology service providers. It also wants to stress test such providers to check if they’re ready to jump into action if a hack or outage does happen.
Known as the Digital Operational Resilience Act, or DORA, EU lawmakers are hopeful that when the rules begin in January, the finance sector will be better shielded.
“DORA is not the silver bullet against outages like this, but will ensure our financial services are resilient enough and prepared enough to avoid or mitigate the impacts,” Billy Kelleher, the European Parliament member who led work on the DORA law, said.  
But, he conceded, it is “unlikely” that DORA could have prevented the Crowdstrike outage, even if it could “certainly have mitigated the impact on the financial services sector.” 
And regulatory probes already show some cause for concern. The European Central Bank announced the results of its latest stress test of 109 major EU banks just a week after the July outage. After testing the lenders’ ability to keep operations running after a major hack, the ECB alluded to “areas for improvement,” without going into many details.
It could be that the supervisor didn’t want to draw attention to specific vulnerabilities — or it could be that the results were worse than expected. 
Growing global digitalization, technological advancements such as the rise in AI, and heightened geopolitical tensions all play into the risks, according to Mahvash Saeed Qureshi, assistant director in the IMF’s monetary and capital markets department. For finance specifically, firms are increasingly interconnected and reliant on third-party providers for operations such as cloud storage services. 
Cloud services are dominated by a few firms, with the top four providers holding a 65 percent market share, heightening concerns that risks are concentrated in one area.
“The risks faced by financial services providers are similar to other sectors,” Seán Doyle, who leads a cybercrime initiative at the World Economic Forum’s Centre for Cybersecurity, said. “What is different is the extent to which companies are enmeshed in each other’s supply chains and dependent on shared infrastructure such as payments and clearing services.”  
Experts believe that cyber-attacks, tech crashes, or other disasters are likely to occur more frequently and that the losses caused by an event would be far greater than in the past. 
According to an International Monetary Fund report on global cyber risks, an “extreme loss” for a finance firm due to a cyber incident would have been around $285 million back in 2017, but by 2021, that figure had jumped to $2.24 billion. And according to the same report, a major cyber incident resulting in an extreme loss of $2.5 billion is likely to once every 10 years.
But despite experts’ best efforts to map the risks banks and other finance firms could face, they have an uphill struggle to gather enough information on the risks, whether because firms delay reporting cyber incidents, or because long-term losses from an incident only become known over time and are hard to measure, meaning losses can be under-reported.
“We are in a different world,” Qureshi said. “The threat landscape has changed significantly. The lack of good data availability on cyber has been a real impediment to do good analysis on it over the years.”
It’s a “major risk” that “banks and financial institutions at large lose track of their ICT resources,” which can be “so complex that senior management doesn’t quite control all the resources and doesn’t have great visibility in all of these threat sectors and risk factors,” the European Commission’s Peter Kerstens, an advisor on technological innovation, digital transformation and cybersecurity at the European Commission’s financial services department, told a POLITICO event on Oct. 2.  
DORA aims to map “how operational resilience and risk is governed,” Gerry Cross, director of financial regulation, policy and risk at Ireland’s central bank told the same POLITICO on Oct. 2. Cross flagged two important factors in the finance sector’s ability to withstand more frequent cyber incidents — “identification, information and speed of response” as well as managing “connectivity and concentration risk.”
The rules cover banks’ and other finance firms’ management of IT risks, how they report any IT-related incidents, and how they manage and test risks from third-party providers like cloud storage providers.
The EU is taking the new step of including non-finance firms in the rules. While the DORA regime is a mixture of new and old — in some areas making a patchwork of national rules more cohesive, in others introducing new requirements — the cornerstone of the legislation is its new “oversight regime” for IT providers. 
EU authorities won’t fully supervise tech firms, but they will be able to demand information, conduct investigations and inspections, impose penalties and issue recommendations to major providers of IT services if they are considered “critical” to finance firms’ operations. 
“It could be new for many of the [IT service] providers to be under the scrutiny of regulators. This is absolutely new in DORA,” IBM Cloud’s Juliette Macret said at the POLITICO event.
“If you’re a financial firm and you are outsourcing ICT activities, they are still ultimately your activities… Ultimately, you are responsible for what’s happening here. The buck stops [with you],” Cross said.
Financial institutions acknowledge the growing risks and need to future-proof the environment. But the new rules cannot be a “ticking-the-box exercise,” said Jean Pierre Salendres, of markets lobby group FIA. He added that major finance players “truly need to understand” that cyber incidents “can lead to severe consequences for their business models” and respond with serious investment in cyber security.
According to Kerstens, cyber incidents are inevitable: “It’s not about a 100 percent compliance rate, it’s about a mindset shift in the ecosystem,” he said. “The idea that security or resilience is about preventing a hack is false. You have to assume that hacks and bad things are going to happen. How do you deal with them?”
The IMF’s report recommends stronger reporting of cyber incidents to supervisors, and for senior leadership of the firms to be held accountable for managing cyber resilience, as well as more developed crisis-management plans in case major events occur.  
In the EU, that will take major investment into shoring up finance’s IT resilience. ECB board member Anneli Tuominen said banks need to “prioritize cyber resilience and integrate it into their core business strategies.”
But while banks will have to shell out to ensure they’ve got the systems in place to protect themselves against such cyber incidents, the cost would pale in comparison to the IMF’s predicted $2.5 billion price tag of a major event.
As cybercrime expert Doyle said, “finance will always be an attractive target for cybercriminals because that is where the money is kept.”