The 24-month implementation window for the Digital Operational Resilience Act (DORA) has now closed.
As of Friday (17 January), financial institutions operating within the EU had to be compliant with DORA, which obliges them to strengthen their cyber resilience across multiple domains.
There will inevitably be compliance stragglers, and regulators will likely be more forgiving of implementation gaps during the law’s early phase. And of course, compliance is an ongoing process rather than a milestone reached and then ignored. Even if regulators are satisfied, risks can always be further mitigated – and done so more cost-effectively.
The incentives for maintaining DORA compliance are significant: repelling frequent and potentially calamitous cyber-attacks against the sector, and avoiding fines of up to 2% of an organisation’s annual worldwide turnover or, for individuals found liable, €1 million.
With this in mind, here are five ways the YesWeHack platform – combining Bug Bounty Programs with Vulnerability Disclosure Policy, Pentest Management and Attack Surface Management solutions – can help financial service entities cost-effectively strengthen their alignment with the DORA framework.
#1 Continuous, in-depth and scalable testing
DORA demands: “Financial entities, other than microenterprises, shall ensure, at least yearly, that appropriate tests are conducted on all ICT systems and applications supporting critical or important functions [as well as, with further exemptions…] carry out at least every 3 years advanced testing by means of TLPT. [threat-led penetration testing]”
“Central securities depositories and central counterparties shall perform vulnerability assessments before any deployment or redeployment of new or existing applications and infrastructure components, and ICT services supporting critical or important functions.”
YesWeHack solution: Unlike time-boxed pentests, Bug Bounty testing is continuous and easily optimised in line with budgets as well as the criticality and security level of assets in scope.
Tapping into our eclectic talent pool comprising tens of thousands of hunters can maximise testing coverage and harden assets in preparation for the Threat-Led Penetration Testing (TLPT) prescribed by DORA.
Crowdsourcing and results-oriented security testing helps organisations meet DORA’s demands for a rapid increase in cyber capacities amid a global cyber skills shortage. This platform-driven approach also enables InfoSec teams to spin up new scopes or new programs quickly, which minimises software rollout delays.
And all this can be achieved cost-effectively, as organisations only pay for valid, actionable vulnerabilities.
#2 Support ICT risk management through comprehensive coverage
DORA demands: “Financial entities shall, on a continuous basis, identify all sources of ICT risk […]assess cyber threats and ICT vulnerabilities […] establish, maintain and review a sound and comprehensive digital operational resilience testing programme [that includes…] a range of assessments, tests, methodologies, practices and tools [that follows…] a risk-based approach […] duly considering the evolving landscape of ICT risk, any specific risks to which the financial entity concerned is or might be exposed, the criticality of information assets and of services provided […]”
YesWeHack solution: Combine our Bug Bounty and Attack Surface Management (ASM) products to continuously track your proliferating online assets, strategise your testing initiatives and prioritize vulnerability remediation.
Following the Continuous Threat Exposure Management (CTEM) model, our ASM gives you a real-time, comprehensive picture of your online assets and exposure to known vulnerabilities, as well as automated, risk-based prioritisation of those bugs based on asset criticality and exploitability.
Better still, vulnerabilities from various security testing channels – including ASM auto-scans, Bug Bounty testing, traditional pentesting and Vulnerability Disclosure Policies (VDPs) – are standardised and managed through the same interface. The ASM’s ‘Asset Coverage’ feature brings insights on exposed assets that help security teams define and finetune their testing strategies in a structured, informed manner.
#3 Rapid remediation
DORA demands: “Based on the conclusions from the internal audit review, financial entities shall establish a formal follow-up process, including rules for the timely verification and remediation of critical ICT audit findings.”
“Financial entities, other than microenterprises, shall establish procedures and policies to prioritise, classify and remedy all issues revealed throughout the performance of the tests and shall establish internal validation methodologies to ascertain that all identified weaknesses, deficiencies or gaps are fully addressed.”
YesWeHack solution: As opposed to a manual approach that might use static deliverables and multiple, non-integrated tools, our platform-driven model reduces time-to-fix by enabling collaboration across teams, automating time-consuming processes, standardising vulnerability formats and integrating with organisations’ internal workflows. Remediation is also facilitated by our triagers’ and hunters’ prompt response to queries (YesWeHack’s average first response to new reports is just 5-6 hours).
#4 Mitigate supply chain risks
DORA demands: “A dedicated ICT third-party risk strategy [should be] rooted in a continuous screening of all ICT third-party dependencies.”
“Financial entities shall identify all relevant underlying ICT systems, processes and technologies supporting critical or important functions and ICT services, including those supporting the critical or important functions which have been outsourced or contracted to ICT third-party service providers.”
YesWeHack solution: Our Bug Bounty service provides access to deep and broad testing skills that allow security teams to discover vulnerabilities not just in their own assets, but third-party components too. By integrating our ASM into their risk-management strategy too, organisations can continually identify potential weaknesses in third-party dependencies and throughout their whole supply chain.
#5 Foster a security-first culture
DORA demands: “Management bodies should […] cultivate, at each corporate layer, and for all staff, a strong sense of awareness about cyber risks and a commitment to observe a strict cyber hygiene at all levels […] Allocate and periodically review the appropriate budget to fulfil the financial entity’s digital operational resilience needs in respect of all types of resources, including relevant ICT security awareness programmes and digital operational resilience training”
YesWeHack solution: Seamless collaboration between researchers, triagers, security teams and developers through a single, unified platform helps to break silos, increase security awareness internally and instil secure development practices. Consider how Orange France, according to its Bug Bounty Program Manager, Yann Desevedavy, intentionally leaves vulnerabilities reported by our hunters on internally-accessible dummy websites. “Our employees then take on the role of ethical hackers to identify bugs that were previously discovered on our application,” said Yann. “It’s an engaging and effective awareness-raising activity.”
STRENGTHEN YOUR SECURITY COMPLIANCE
CONTACT OUR SALES TEAM to BOOK A DEMO of our Bug Bounty service or ASM, and to find out more about how your organisation can secure your growing attack surface cost-effectively.
RELATED How Bug Bounty and Attack Surface Management can help you comply with DORA