© 2023 CyberNews - Latest tech news,
product reviews, and analyses.

If you purchase via links on our site, we may receive affiliate commissions.

EU finance sector security law out of touch, warns tech expert

The European Parliament’s new guidance on digital security for the finance sector is based on outdated principles and could end up stifling innovation by punishing smaller companies, a cybersecurity startup claims.

The EU’s Digital Operational Resilience Act (DORA) was formally adopted last month amid some fanfare, with the European Council declaring it would “make sure the financial sector in Europe is able to stay resilient through a severe operational disruption.”

“Thanks to the harmonized legal requirements which we adopted today, our financial sector will be better able to continue to function at all times,” said Czech Finance Minister Zbyněk Stanjura when the formal declaration was made on November 28. “If a large-scale attack on the European financial sector is launched, we will be prepared for it.”

But not all cybersecurity professionals are convinced. Cybernews spoke with Monica Oravcova, Chief Operating Officer and Co-Founder of blockchain-based tech startup Naoris, about DORA and the ramifications it has, both for cybersecurity companies operating in Europe and their clients.

Two of the core problems with the legislation, in her view, are its lack of specificity and failure to realize that the “ringfenced” or isolated IT systems it is predicated on are simply no longer applicable in today’s evolving cyber landscape. The internet of things (IoT) and cloud technologies are greatly expanding the attack surface a threat actor can use to go after an organization.

“DORA is an administrative framework,” she says. “It contains some key principles and guidelines, like a guidebook for the financial sector and ICT [information and communication technology] providers – how to handle risk management processes, respond to cybersecurity incidents, report and classify them, and maintain and achieve operational resilience. The administrative framework is there, but what is really missing is the technical framework.”

A “paper” law?

Being compliant on paper is one thing, she argues, but box-checking exercises will avail one little when faced with cybercriminals willing to exploit multiple attack vectors to hold a target company to ransom.

Oravcova cites research by Cybersecurity Ventures from 2020 that predicted the total worldwide cost of cyberattacks would exceed $10 trillion annually by 2025, and worries that potentially vulnerable businesses and the legislators who are supposed to protect them are out of touch. Because cybersecurity was originally designed to protect limited numbers of devices on self-contained, centralized networks, its core principles are no longer fit for purpose, she argues.

“We keep making the same mistakes over and over, using solutions based on the same principles – protecting very small networks,” she says. “In the past, you had one office where everybody came in and joined the same network. But now we see that people work from home, from hotels, from different countries. They travel and bring their own devices.

"We just keep making the same mistakes over and over, using solutions based on the same principles - protecting very small networks."

Monica Oravcova, Co-Founder of Naoris

“All of these external factors are causing problems in terms of cybersecurity and resilience – and in terms of DORA, they do not specifically say which solutions you should use, they just give you some kind of checklist. Implementation is key, and nobody tells you what to implement and how.”

Oravcova also has serious doubts about how DORA’s recommendations, sketchy as she says they are, will be audited – with possibly hundreds of thousands of EU-based companies requiring regular monitoring to ensure compliance.

“We are talking crypto providers, digital money, insurance, reinsurance – the sector is huge,” she says. “And how do you make sure that these companies are adhering to these standards? You would literally have to employ hundreds of thousands of people who are cybersecurity and audit experts.”

Smaller firms may suffer

Nor does Oravcova see the regulatory framework leading to any meaningful arrests – or if it does, she suggests, it will be the smaller firms with less money to spend on cybersecurity compliance that suffer.

“Scalability of enforcement might really be a problem because when we are talking about putting CEOs or board members in prison, it's really about showing intent – that you have put some effort into your overall security strategy,” she says. “And when we talk about the big players, a big CEO of a large bank going to prison, these teams already have mitigation processes in place and risk management teams who are handling cybersecurity threats.

“So I don't believe that the big players would go to prison, but how about the small players? How about the fintech sector startups, where you have an office maybe with 20 people, and your IT and security team is just one person? And then you outsource some activities to a third party – what capabilities do you have to audit the third party and decide if that vendor is good or bad?”

Oravcova fears that overzealous auditors could end up putting smaller firms out of business with excessive fines – while she acknowledges that specific amounts have yet to be prescribed under the new law, the lack of clarity in this area further causes concern.

"I don't believe that the big players would go to prison, but how about the small players? How about the fintech sector startups, where you have an office maybe with 20 people, and your IT and security team is just one person?"

Monica Oravcova, Co-Founder of Naoris

Pointing to the 4% of company turnover ceiling stipulated for an infraction against the EU’s General Data Protection Regulation, she asks: “What are the fines here? I think the fines and risks with DORA might be really crucial, but they do not talk about any financial damages in this law. In the financial sector, there are lots of small players, innovative fintech companies who have limited resources to fight against security threats.”

Oravcova also believes this problem could be replicated within the cybersecurity niche of the industry, with startups feeling obliged to hire bigger firms in order to be seen as compliant, effectively squeezing more innovative smaller providers out of the market.

“It implies that the financial sector should work with well-established players in terms of security providers,” she says. “So that again limits the small players – if you want to be compliant, you call one of the big players, because it says I should work with the best in the industry. ‘Best’ often means the biggest voice – it doesn't mean the more resilient and innovative solution.”

More from Cybernews:

With new Tesla safety concerns, are we witnessing a rise of security hazards?

3.5m IP cameras exposed, with US in the lead

Eight men indicted for running “pump and dump” fraud scheme on Twitter and Discord

Royal ransomware: mysterious gang behind Silverstone Circuit attack

US agrees to tighter data privacy for EU citizens

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are marked