19 November 2024
Lending Focus - November 2024 – 3 of 9 Insights
The rise of digitalisation in financial services offers significant opportunities for modernisation and improved efficiency. However, everything comes with a price, as it also increases exposure to cyberattacks, presenting potential vulnerabilities that financial institutions must address to protect themselves and their clients. According to the European Union Agency for Cybersecurity (ENISA), the banking and financial sector is the fifth most targeted industry for cyber incidents across Europe, which highlights how critical this problem for financial service providers is.
Cyberattacks on financial institutions can lead to severe consequences which can then affect not only the institutions but also the broader financial system and customer trust. Key risks include:
These and other serious risks are the reason why the European Union is paying increased attention to the protection of digitalisation, which is essential for the normal day-to-day functions of all financial entities.
The Regulation on digital operational resilience for the financial sector (DORA) is considered to be one of the most significant regulatory initiatives in the European Union. DORA will enter into force very shortly, on 17 January 2025, with relevant institutions required to have put in place all necessary measures by this date. Moreover, this regulation will considerably increase the responsibility of financial institutions in the area of cybersecurity, with accountability down to the senior management level of the companies concerned.
New obligations under DORA will require, primarily, a change in the approach of governing bodies of relevant financial institutions - these will be tasked with establishing and approving a digital operational resilience strategy which should strengthen the resistance of institutions to the digital threats that may be rapidly evolving and minimising the vulnerability of business models.
DORA also establishes the world's first framework that enables regulatory authorities to oversee third-party providers of critical information and communication services, including cloud service providers. The supervisory authorities' rights under DORA will be broad in scope and will include, for example:
The scope of the Regulation is quite broad - DORA applies to various financial entities, including not only traditional financial service providers such as credit institutions, investment firms or insurance companies, but also providers of services related to crypto-assets or crowdfunding platforms, etc. In this respect, it is also worth mentioning that the principle of proportionality is to be applied in the application of the relevant rules under DORA, which should ensure an individual approach to each supervised entity. Consequently, small financial institutions with a low risk profile and complexity of services should be subject to less stringent oversight.
The Czech National Bank (CNB) has decided to properly focus on this matter and join other European countries in adopting the TIBER-EU framework (Threat Intelligence-based Ethical Red Teaming) to improve cybersecurity in the financial sector. TIBER-EU, which is developed by the European Central Bank (ECB), is an advanced framework for penetration testing specifically designed for financial entities. It provides a method for simulating real-life cyberattacks on critical systems, enabling institutions to test their resilience under authentic conditions. By joining the TIBER-EU system, the CNB sends a clear message to relevant financial institutions operating in the Czech Republic that it is ready to assume its supervisory authority in the area of cybersecurity.
The decision to join TIBER-EU grants the CNB access to the latest cybersecurity techniques and guidelines. As a result, the CNB will be better able to monitor and enforce cybersecurity standards within the Czech financial sector. By joining TIBER-EU, the CNB hopes to ensure that banks and other financial institutions are adequately prepared to prevent, detect, and respond to cyberthreats, contributing to a more resilient financial environment for the Czech Republic.
DORA and TIBER-EU will introduce a number of new requirements and obligations for relevant financial institutions that are supervised by the CNB. This will include in particular:
Joining TIBER-EU will undoubtedly place higher demands on the cybersecurity capabilities of Czech financial institutions. Ultimately, the CNB’s alignment with TIBER-EU will demand that Czech financial entities commit to a proactive, rigorous approach to cybersecurity. Consequently, this initiative further strengthens the CNB's supervisory powers. In this way, the CNB expects this approach to increase the digital resilience of the Czech financial sector and strengthen public confidence in the security and stability of banking and financial services.
As the effective day of DORA approaches, affected financial institutions have only a few weeks left to prepare for this important new regulation which introduces a series of new compliance standards that demand early planning, as adapting to these changes will require time, resources, and specialised support. By allocating the right resources and preparing ahead—including the preparations for cybersecurity frameworks like TIBER-EU—institutions can position themselves to meet DORA’s standards effectively and strengthen their resilience against future risks.
To discuss the issues raised in this article in more detail, please contact a member of our Banking and Finance team in Prague
19 November 2024
19 November 2024
19 November 2024
19 November 2024
by Multiple authors
19 November 2024
by Nick Evans
19 November 2024
by Michał Kulig
19 November 2024
by Kate Bowden