DORA’s influence on EU finance: SecurityScorecard found 18% of firms with “C” or worse cybersecurity ratings unprepared for the January 2025 deadline.
The Digital Operational Resilience Act (DORA) was published in the Official Journal of the European Union in late 2022 as a measure to improve the overall digital operational resilience of the EU financial industry. SecurityScorecard, a cybersecurity company, has shown that nearly one in five (18%) organizations have a cybersecurity “C” rating or lower in its most recent study as organizations get ready for DORA’s deadline in January 2025.
Cybersecurity rules are increasing the need for comprehensive measures to manage vendor risk and assure compliance in the aftermath of assaults like MOVEit and SolarWinds. SecurityScorecard has shown that many organizations’ cybersecurity standards are subpar in its paper, DORA and Cyber Risk: A New Framework for Third-Party Risk in the European Union. In actuality, 78% of respondents reported a third-party data breach in the previous year.
The report also demonstrates the importance of visibility throughout the full ecosystem of third- and fourth-party providers. Over eight out of ten (84%) companies were compromised by a fourth party. This demonstrates not only how threats might be hidden from view, but also how institutions are now unable to monitor and assess risk.
Only 3% of the third-party vendors had security breaches. This emphasizes the enormous butterfly impact that hackers are only now beginning to exploit. It draws attention to the significant influence on the danger landscape of a single supply chain attack. These kinds of attacks are used by cybercriminals to potentially access all businesses that make use of that software. Software must therefore be protected from compromise at all costs.
An inadequate grade
Surprisingly, 18% of businesses only receive a “C” or lower for cybersecurity. A company with a “C” rating has a four to seven times higher risk of experiencing a breach than one with a “A,” according to SecurityScorecard. Seven variables that influence cyber risk and potentially foretell a breach include
- Endpoint protection
- Patching tempo
- Ransomware rating
- DNS security
- IP standing
- Cubit rating
- Network protection
According to Matthew McKenna, chief sales officer of SecurityScorecard, “if nearly 20% of the most well-resourced financial entities in the EU have grades of C or worse, then it’s likely that the overall cyber resilience for other financial entities is actually much lower.” Financial institutions require a reliable assessment of security risk. To significantly lower the danger of a compromise, SecurityScorecard dynamically identifies risk across a customer’s attack surface, including their third- and fourth-party ecosystem.
Various financial industries’ cyber risk
According to the survey, retail banks are most vulnerable to a cyber attack. In actuality, 82% of respondents reported a third-party breach in the previous year. In the meantime, 8% experienced a breach within their own domain.
Insurance companies, however, have the lowest security ratings. Seventy-eight percent reported a third- or fourth-party intrusion, and twenty-four percent had security ratings of “C” or below. Private equity businesses, on the other hand, are the organizations that prioritize cybersecurity the most. None of the respondents had any breaches on their own domains, and they all received the highest grades, with only 9% receiving a “C” or worse.
Effects of DORA on third-party risk control
A key component of DORA and the EU’s approach to digital cyber risk in general is managing third-party risk. Financial institutions are required by DORA to recognize and evaluate all third-party risks. In addition to risks to the financial entity’s capacity to continue operating in the case of a third-party incident, this also encompasses threats to the confidentiality, integrity, and availability of data and systems.
According to Dan Morgan, senior government affairs director, Europe & APAC, SecurityScorecard, “Who financial entities choose to trust and how they sustain that trust are essential factors for the resilience of the EU’s financial services sector.” “Financial institutions must adopt an objective, standardized measurement for third-party cyber risk in order to inform regulatory decisions, reduce cyber incidents, and comply with regulations, such as DORA in the EU.”