Redefining the testing ground: DORA's approach to resilience trials
In the ever-evolving digital landscape, the need for robust cybersecurity measures has never been more crucial. One such initiative is the Digital Operational Resilience Act (DORA), which requires financial institutions to conduct rigorous testing to ensure their digital operational resilience.
The core of DORA's testing strategy revolves around two key procedures: Threat-Led Penetration Testing (TLPT) and Scenario-Based Testing.
Threat-Led Penetration Testing (TLPT) is designed to simulate real-world cyberattacks by ethical hackers on critical systems. Conducted by certified, independent teams, these tests follow a structured approach consistent with the TIBER-EU framework, a part of the EU’s cybersecurity strategy for the financial sector. The purpose of TLPTs is to enable financial entities to identify vulnerabilities before attackers do and improve response capabilities based on test outcomes.
Scenario-Based Testing, on the other hand, evaluates the readiness of internal teams by simulating various incidents such as ransomware outbreaks or vendor outages. Conducted regularly, these tests include tabletop or live exercises to assess response strategies under realistic scenarios.
While DORA applies to all financial entities, the specific requirements and emphasis can differ based on the institution's size and systemically relevant status. Smaller financial institutions might have less complex systems but still need to comply with DORA’s core requirements. They may focus on more straightforward testing methodologies, prioritizing basic security measures such as patch management, network segmentation, and multi-factor authentication due to limited resources.
Systemically Relevant Institutions (SRI), being critical to financial stability, face more stringent requirements due to their potential impact on the entire financial system. They must adhere to comprehensive testing protocols, including TLPTs aligned with the TIBER-EU framework, ensuring robust digital operational resilience. For SRI, testing also includes complex scenario-based exercises to handle extensive operational disruptions, emphasizing crisis communication and recovery capabilities.
Dana Wondra, a Senior Manager Marketing at Payment & Banking, provides insights on working with internal auditors in a recent podcast episode. The episode, part of the P&B podcast series, discusses strategic levers for increased security, DORA's decision-making process for extended tests, and the importance of integrating testing as part of the corporate culture. Wondra, with a background in business administration and marketing, studied at the University of Greifswald and has experience in public relations and organizing Olympic campaigns. Currently, Wondra is a consultant and project manager at GOLT Coaching.
In conclusion, DORA's goal is not just to provide evidence for supervision, but to integrate testing as a part of the corporate culture. Regular, realistic, and risk-oriented testing is necessary to ensure safety, and tools like the Secura DORA program can help tailor testing to specific needs, ensuring compliance without excessive overhead. Whether a financial institution is small or systemically relevant, the importance of digital operational resilience cannot be overstated in today's interconnected world.
The Secura DORA program, a helpful tool for tailoring testing to specific needs, assists in ensuring compliance with the Digital Operational Resilience Act (DORA) without imposing excessive overhead. Threat-Led Penetration Testing (TLPT), designed to simulate real-world cyberattacks, is a critical component of this strategy, especially for Systemically Relevant Institutions (SRI) that require robust cybersecurity measures to maintain digital operational resilience in the cybersecurity-centric technology market.
