How DORA could have changed history?

Tuesday, 29 October, 2024

DORA’s time-travelling backpack

Gain an understanding of your DORA compliance by taking our DORA Readiness Quiz.

In a few short months, the Digital Operational Resilience Act (DORA) will come into effect for organisations operating in the European financial sector. We’ve established what DORA’s all about and how it differs from ISO 27001, but how do we know it’s going to be effective?

Let’s jump into the Cydea time machine and explore how DORA could have prevented or mitigated some of the many, many recent cyber attacks that have impacted the financial sector.

DORA’s primary goal is to enhance operational resilience and it’s structured in five key pillars, so we’ll use these to frame our investigation:

  • Risk Management
  • Incident Response and Reporting
  • Digital Operational Resilience Testing
  • Third-Party ICT Provider Risk Management
  • Information Sharing

Travelex

Let’s start with the Travelex ransomware attack in late 2019 / early 2020, which was caused by criminal attackers exploiting unpatched vulnerabilities in Travelex’s third-party systems. The breach and ransom demand of £4.6M destroyed the company’s revenues and was a factor forcing Travelex into administration.

Risk Management

The attackers exploited a known vulnerability, which the company had failed to patch. The ransomware attack crippled the company’s operations.

  • DORA mandates a comprehensive risk management framework, so Travelex’s risk management processes would have been required to prioritise patching high-risk vulnerabilities like the one exploited, reducing the likelihood of the breach.

Incident Response and Reporting

Travelex took weeks to detect the ransomware and fully respond, leading to extended service disruptions. There were also delays in reporting the incident to regulators and the public.

  • DORA requires entities to have robust incident response plans, including rapid detection, containment, and recovery from cyber attacks. The act also mandates strict incident reporting timelines, which would have required a significant cyber security incident such as this to be reported within a specific timeframe.

Digital Operational Resilience Testing

The attackers encrypted files and forced Travelex to shut down many of its global services, including its online currency exchange platforms, for several weeks.

  • DORA enforces regular penetration testing, vulnerability assessments, and cyber resilience drills to simulate and prepare for cyber attacks. This testing would have exposed weaknesses in Travelex’s infrastructure, enabling the company to proactively address gaps in their systems, such as outdated software and weak backup systems.

Third-Party ICT Provider Risk Management

The vulnerability exploited was in third-party software, Pulse Secure VPN. Travelex had not effectively managed and updated the software in line with recommendations.

  • DORA imposes strict requirements for managing risks related to third-party ICT providers and mandates continuous evaluation of third-parties’ cyber security practices. Travelex would have been required to monitor and enforce the security standards of its Pulse Secure VPN, ensuring timely patching of known vulnerabilities.

Information Sharing

There was limited information sharing and cooperation between Travelex and industry bodies or regulators before and after the attack, which slowed down response efforts and recovery.

  • DORA encourages and mandates information sharing, which could have helped Travelex stay informed about critical vulnerabilities in widely-used software such as Pulse Secure VPN. Early information sharing and threat intelligence could have alerted Travelex to patch the vulnerability before attackers exploited it.

In short, DORA’s higher standard of digital operational resilience could have helped Travelex identify and mitigate the vulnerabilities that led to the ransomware attack, ensured quicker incident detection and response, and reduced operational disruption.

Let’s look at another one.

Tesco Bank

The Tesco Bank attack in 2016 was a sophisticated cyber attack that targeted weaknesses in the bank’s debit card system, leading to unauthorised transactions from 9,000 customer accounts and the theft of £2.26 million.

Risk Management

The attackers exploited weaknesses in Tesco Bank’s debit card authorisation process, probably by using sequential PAN (Primary Account Number) generation to perform fraudulent transactions. The bank’s systems failed to effectively prevent these transactions.

  • Under DORA, Tesco Bank would have been required to conduct regular assessments of its payment systems, identifying weaknesses in the card authorisation process and implementing controls to mitigate these risks before they were exploited.

Incident Response and Reporting

Tesco Bank was slow to detect the attack, which allowed the fraudulent transactions to occur over approximately 48 hours.

  • DORA requires financial entities to have robust plans in place for swift detection, containment, and recovery from cyber incidents. Tesco Bank would have been required to respond more rapidly to unusual account activity, containing the attack sooner and minimising the impact.

Digital Operational Resilience Testing

Vulnerabilities within the debit card system remained undetected due to insufficient testing and oversight. The bank’s fraud detection systems were also inadequate to quickly stop the fraudulent transactions.

  • Under DORA, Tesco Bank would have been required to conduct resilience testing on its payment systems, which could have revealed the flaws in the debit card authorisation process and improved fraud detection mechanisms.

Third-Party ICT Provider Risk Management

In this instance it was weaknesses in Tesco Bank’s internal debit card authorisation and fraud detection systems that allowed the breach to occur.

  • If any third-party systems or service providers had been involved, they would have been subject to DORA’s stringent third-party risk management protocols.

Information Sharing

Prior to the attack, there was limited sharing of threat intelligence across the financial sector, which may have delayed awareness of emerging fraud techniques, such as the one used in the Tesco Bank attack.

  • Under DORA, Tesco Bank would have benefited from mandated industry-wide intelligence sharing, which could have helped the bank learn about emerging fraud techniques earlier and take preventive action to strengthen their systems.

In short, DORA’s emphasis on resilience testing and information sharing would have significantly improved Tesco Bank’s ability to identify vulnerabilities and prevent fraudulent activity, ultimately reducing the impact of the attack.

Boosting financial services cyber resilience

As you can see, DORA’s higher level of security requirement will serve to strengthen cyber resilience of the financial sector – this is great news for business and consumers, and bad news for attackers.

However, as we know, attacks are constantly evolving, so even organisations outside the act’s EU financial industry scope would be wise to align themselves to these tougher protections.

But how would your organisation compare? Take our free DORA Readiness Assessment now.

In the meantime, if you’d like to know more about how DORA could impact your business, or what you will need to do to ensure compliance, there are lots of ways Cydea can help.