Third-party IT consultants can help mitigate risk and ensure compliance
Rob Batters, Director of Managed and Technical Services, Northdoor plc
Achieving operational resilience and compliance in 2023 has been inherently challenging for many organisations given the increasing complexity of IT processes, technology infrastructure, cybersecurity, talent and budget shortages, organisational silos and ever-changing compliance regulations. Also, we have found that just because regulations exist, it doesn’t mean that organisations have the budget, technical expertise or in-house knowledge to deliver against them completely.
To achieve operational resilience and compliance organisations need to understand how all areas of their operations (technology, data, third-parties, facilities, operations, and people) impact critical service delivery and to build a consistent set of cybersecurity resilience capabilities and controls across these areas.
Issues that will impact organisations in 2024:
Operational resilience will inarguably have the same focus as GDPR did a few years ago in 2024. The Digital Operational Resilience Act (DORA) and the Network and Information Systems Directive 2022 (NIS2) are two distinct and differing pieces of European cybersecurity legislation that will impact organisations in 2024 and beyond.
NIS2 focuses on supply-chain security- its goal is to ensure that operators of essential services (such as energy, transport, health, and banking) and digital service providers (such as search engines and cloud services) implement appropriate and proportional security measures and to notify serious incidents to the authorities. The directive aims to increase the level of cybersecurity in the EU and to ensure a common level of security for networks and information systems. NIS2 came into force in January this year, with the deadline for Member States to transpose the NIS2 Directive into applicable, national law, by October 2024. This deadline is crucial for businesses as failure to comply can results in severe consequences, such as financial penalties and reputational damage.
Under NIS2 authorities in member states will have the ability to impose significant fines in event of non-compliance. For essential entities, fines of at least up to €10 million or 2% of the worldwide annual turnover can be imposed. For important entities, fines of at least up to €7 million or 1.4% of the worldwide annual turnover can be applied.
The impact of DORA:
The second piece of legislation running along NIS2 is DORA. Its main objective is to strengthen the IT security of financial entities such as banks, insurance companies and investment firms. The EU deems this necessary because of the growing risk to Information and Communication Technology (ICT) related services that are increasingly vulnerable to disruptions and cyberattacks.
DORA also ensures continuity of critical services so that incidents like the 2018 TSB debacle cannot be repeated. TSB paid out £48 million to the Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) plus £33 million to compensate more than five million customers when an IT migration left them locked out of their accounts.
DORA addresses five topics aimed at enhancing the resilience of financial entities. These are: ICT risk management, ICT-related cyber incident reporting, digital operational resilience testing, ICT third-party risk management, and information sharing.
DORA came into force at the beginning of 2023 and the regulatory and technical standards will be developed by the European Supervisory Authorities (ESA). The ESAs will implement the standards and by the beginning of 2025 the DORA requirements will be enforceable with all financial companies expected to be compliant with the regulation by January 2025.
UK companies cannot avoid DORA or NIS2:
DORA and NIS2’s reach basically extends to any enterprise offering services that are considered critical to supply chains supporting both the European financial sector (in terms of DORA), and the EU’s essential and important services (in terms of NIS2). This will be regardless of whether that enterprise or service is based inside the EU. It is also highly likely that DORA and NIS2 will be made into UK-specific laws, so there is little point in waiting until this happens before becoming compliant.
Legacy systems can impede compliance:
As technology progresses, support for older systems dwindles with developers and manufacturers prioritising newer systems, gradually making patches and updates scarce, if non-existent, for legacy ones. This absence of continual updates means vulnerabilities in older software and hardware remain unaddressed, making them prime targets for cyberattacks.
Also, as employees who maintain legacy systems retire, younger employees are less likely to want or be offered training on legacy systems, creating a skills gap and a further cybersecurity risk. Modern cyber security tools often struggle to integrate with older systems. Legacy systems might lack the necessary functionalities to accommodate advanced security measures, leaving gaps in the defence framework.
With a typical compliance process (including security assessments, auditing, consulting and tool implementation) taking at least 12 months, companies need to start working now to ensure that they are compliant in good time.
Operational resilience through automation and AI in 2024:
According to IBM Security’s 2023 Cost of a Data Breach study, the most significant single factor in reducing the time to identify and the cost to remediate is AI and automation. The report states that UK organisations pay an average of £3.4 million for data breach incidents but that those who use AI and automation spend around £1.6 million less. With IT environments becoming increasingly complex for IT and security teams to manage, the implementation and management of AI-powered and automated solutions that give a 360-degree, real-time view of supply chains, can have a real impact on an organisations’ ability to achieve operational resilience and compliance.
To ensure adherence, turning to third-party IT and cybersecurity consultants will be key in 2024. This takes the pressure off in-house teams and fills any skills gaps. Third-party IT consultants can look at the detail of the regulations and establish how far reaching they are for your organisation. Then they can start to define the scope of the project within the context of the risks you are likely to come across as a business. Critical to being compliant to DORA and NIS2 regulations, third-party IT consultants will be able to ensure you have a multi-layered cybersecurity response in place to mitigate day-to-day operational risks.
There is no one-size-fits-all approach to being DORA and NIS2 compliant, but by turning to IT consultants, organisations can ensure a clear operational resilience and compliance strategy is in place. Starting your preparations now will ensure you are one step ahead in 2024.