By
Ambler T. Jackson
The Digital Operational Resilience Act (DORA) requires European Union (EU) financial
institutions, such as banks, insurance companies and investment firms, to follow
rules for the protection, detection, containment, recovery and repair
capabilities against information and communication technology (ICT) related
incidents. It provides uniform
requirements concerning the security of network and information systems
supporting the business processes of financial entities. To address the threats introduced by third
parties that provide services to entities operating in the financial sector, DORA
requires financial entities to take measures for the "sound management of ICT
third-party risk." In this blog, I will discuss why financial
institutions and ICT third parties should consider using data loss prevention
(DLP) to help achieve DORA compliance.
ICT Risk Management Framework and DLP
DORA compliance
is far-reaching as it not only applies to financial entities, but also applies
to third parties that provide ICT-related services to financial entities. It
creates a regulatory framework on digital operational resilience, whereby all
firms need to make sure they can withstand, respond to and recover from all
types of ICT-related disruptions and threats. Article 6, ICT Risk Management
Framework states, in part, that financial entities shall have a sound,
comprehensive and well-documented ICT risk management framework as part of
their overall risk management system which shall include strategies, policies,
procedures, ICT protocols and tools that are necessary to duly and adequately
protect all information assets. A strong
DLP program with the right technical capabilities can help financial entities
protect all of their information assets.
DLP solutions
help mitigate the risks associated with data loss due to insider-related
incidents such as employee error (e.g., unintentional file deletion or the
unintentional sharing of sensitive data in an email), and data breaches due to
malicious attacks. A worthwhile option
for a DLP tool will identify sensitive data, manage insider threats, help
entities understand their regulatory compliance requirements for all data
types, and ultimately protect sensitive data (e.g., payment information,
sensitive customer data, employee data, etc.) from leakage or theft.
DLP Policy
Violations, Monitoring and Alerting
To protect information assets in accordance
with the ICT risk management framework, financial entities have to prevent data
loss and data exfiltration using tools that will not only identify the information assets, but also monitor the
environment to provide appropriate alerts when an asset like financial
information is being used in a way that violates the entity's policy regarding such
information.
DLP policies describe what happens when a
user uses sensitive data in a way that the policy does not allow. Policies are important to control data
storage, file transfer and sharing, as well as what activity is permissible on
employee endpoints. A DLP solution should be capable of performing
actions such as sending out alerts for DLP policy violations, warnings using
pop-up messages, quarantining data and blocking data entirely. Organizations should be able to define their
policies based on their internal security policies, standards, controls and
procedures.
In further
consideration of the requirements of the ICT framework, the following DLP capabilities
will bring their risk management and governance practices closer to DORA
compliance.
-
Identification
of all types of sensitive data, regardless of where it is located and regardless
of format; that is, whether structured or unstructured
-
Classification
of data according to its value and the risk to the financial institution if it
is leaked unintentionally or accessed by malicious actors
-
Organizationally-defined
policies for each data type to support regulatory compliance requirements and enable
incident response activities
-
Monitoring
for violation of policies and prevention of information assets being transmitted
to environments where financial entities may not have visibility
Incident
Detection and Response
Threat and incident detection are key to
DORA compliance. DLP capabilities that combine analysis of data and user
behavior are better positioned to detect insider threats.
In fact, Gartner recommends investing in a DLP solution that not only provides content
inspection capabilities but also offers extra features such as data lineage for
visibility and classification, user and entity behavior analytics (UEBA), and
rich context for incident response. UEBA is useful for
insider-related incidents (e.g., UEBA might help identify data exfiltration by
a dissatisfied employee).
Further, DLP tools capable of providing
rich context for incident investigations and response helps to mitigate the impact of a breach
more quickly. Similarly, mitigating the
impact of a breach allows companies to start recovery after an ICT-related
incident more quickly. Taken all
together, these capabilities help to minimize the impact of any operational
disruptions that may have resulted from the incident.
Conclusion
Organizations that are in the planning phase
of selecting a DLP solution to comply with DORA will need to fully understand DORA
and ICT third-party requirements, as well as how modern DLP tools can provide
capabilities that meet the requirements of DORA. Given the many options and variables to
consider, financial institutions must spend the appropriate amount of time understanding
the nuances
and distinctions among the many solutions
on the market.
##
About the Author
Ambler is an attorney with
an extensive background in corporate governance, regulatory compliance,
and privacy law. She currently consults on governance, risk and
compliance, enterprise data management, and data privacy and security matters
in Washington, DC. She also writes with Bora
Design about today's
most important cybersecurity and regulatory compliance issues.