Ensure enhanced operational resilience
Ensure your business will have the processes and technology in place when the legislation comes into force in 2024.
Preparing for compliance to new cybersecurity regulations needs time, effort and investment.
Cyberattacks that are designed to destroy, steal or otherwise compromise your valuable data –including your backups – are increasing in frequency and cost. Protecting your critical data and recovering it with assured integrity is key to resuming normal business operations post-attack – and the sooner you act, the better.
Which organisations will be affected?
DORA
Banks and financial institutions, including third parties that provide information communication technologies services to banks, such as cloud platforms, data analytics services, and solutions from other IT partners and providers. Banks must ensure their own compliance to DORA and also take steps to verify the DORA compliance of any provider that handles digital financial data.
FCA CP19/32
Building Operational Resilience affects UK banks, building societies, Prudential Regulation Authority (PRA) designated investment firms, Solvency II firms, Recognised Investment Exchanges (RIEs), Enhanced scope Senior Managers & Certification Regime (SM&CR) firms and entities authorised or registered under the Payment Services Regulations 2017 (PSRs 2017) and/or the Electronic Money Regulations 2011 (EMRs 2011).
NIS 2
Any organisation with over 50 employees and an annual turnover of €10M+, as well as any organisation included in the original NIS Directive. Scope is also increased to include the electronic communications and digital services industries. While the legislation applies to the EU primarily, UK businesses need to prepare for the likely implementation of either the NIS 2 requirement, or a UK modified version.
What are organisations required to do?
Cyberattacks that are designed to destroy, steal or otherwise compromise your valuable data – including your backups – are increasing in frequency and cost. Protecting your critical data and recovering it with assured integrity is key to resuming normal business operations post-attack.
NIS 2 Requirements
Risk assessment and management
Incident reporting
Incident response
Communication and cooperation
Security awareness and training
Supply chain security
Resilience
DORA Requirements
ICT risk management and governance
ICT incident classification and reporting
Digital operational resilience testing
ICT third-party risk management
ICT third-party providers oversight framework
FCA CP19/32 Requirements
Firms must have performed mapping and testing of their important business services
Firms must also have identified any vulnerabilities in their operational resilience.
Doing nothing is not an option...
Failure to comply with the new regulations can bring serious consequences.
NIS 2.0 Directive Fines
Up to €10 million or 2% of the entity’s global turnover, whichever is higher.
In severe cases, up to €20 million or 4% of the entity’s global turnover, whichever is higher.
FCA CP19/32 consequences
Failure to comply with the Financial Conduct Authority puts you at risk of fines where there has been a breach of rules or market abuse.
The FCA can also withdraw a firm’s authorisation. prohibiting individuals from carrying on regulated activities. suspending firms and individuals from undertaking regulated activities.
In addition to fines, the disqualification of being able to do business with other companies, or the reputational damage, could be severe.
DORA Non-Compliance Fines
Individuals, not just companies, can be fined, held accountable and be awarded possible custodial sentences.
For organisations: minimum 2% of average daily worldwide turnover for up to six months, with individual countries able and willing to increase the base rate of fines.
Take the Proact approach to operational resilience.
Proact have a simple seven-step approach that will ensure your organisation will reach compliance before the required deadlines:
1. Preparation
Assess the risks and vulnerabilities to your organisation's data and systems, identify critical assets and data, and determine the recovery objectives and strategies.
2. Backup
Establish a robust backup strategy that includes regular, secure backups of critical data, systems, and applications, both on-site and offline.
3 .Detection and Notification
The organisation should have a mechanism to detect any cyber-attack or data breach, and a notification process that involves alerting all necessary stakeholders, including IT and security teams, management and customers.
4. Containment and Recovery
Once the attack has been detected, it is crucial to contain the damage and prevent it from spreading further. This may involve isolating the affected systems, shutting down critical applications and starting the recovery process.
5. Investigation
After the attack has been contained, an investigation should be conducted to determine the cause, scope, and impact of the attack. This will help to identify any additional risks, vulnerabilities, or gaps in the organisation's security and recovery plans.
6. Remediation
The organisation should then implement remediation measures to address any identified weaknesses or gaps, such as implementing new security measures, patching vulnerabilities, or improving staff training and awareness.
7. Recovery
The final step is to restore critical systems and data from the backup and ensure that they are secure and functional. This may involve testing and validating the backup data and systems, as well as conducting additional security testing to ensure that the organisation is fully protected.
Cyber recovery round table exercise
In the event of a cyber incident, it’s critical in your business has the right technology and processes to be able to recover as fast as possible; and your staff are prepared.
Cyber event management is a collaborative effort for your organisation that IT cannot manage alone; you need to prepare expectations of what services IT will perform, and what other business functions need to perform.
Using the NCSC (National Cyber Security Centre) recommended scenarios, we have created our round table exercise to look at your business awareness and technical testing.
A security posture that doesn’t just rely on resilience
Any organisation shouldn’t rely on their operation resilience for their security posture; you should look to stop a potential threat ever reaching your recovery solution in the first instance. That’s secure by design.
At Proact we can fully manage your security posture across 5 core areas. Using our two 24/7 Security Operation Centre’s (SOC) to fill any gaps in resources, skills and technology to provide around-the-clock cyber defence.
Managing security risk
Protecting against cyber attack
Detecting cyber security events
Minimising the impact of cyber security incidents
We’ve got your back!
With deadlines fast approaching, Proact can help you plan and execute an optimum, tailored approach to DORA, NIS2 and Operational Resilience compliance.
- Assess your current position
- Define and plan what it will take for you to reach compliance
- Help you implement your plan
- Routine testing and plan reviews, to ensure it still meets your business needs.
The time to act is now to ensure compliance before the deadline. Turn your operational resilience into a competitive advantage.
Contact
one of our specialists
