Information Security & Digital Operational Resilience Act: Challenges & Trends

The Digital Operational Resilience Act (DORA) is currently the focus of regulation in the financial sector, particularly for financial firms in the European Union. The regulation aims to strengthen the operational resilience of financial firms and protect them against cyber threats and IT disruptions. This means that, in addition to financial resilience, the security of information systems is now a particular focus of regulation. In this article, we look at the importance of information security for EXCON and highlight the biggest challenges and trends in an interview with Head of IT Markus Heiß.

Information Security at EXCON

Information security is of central importance for companies such as EXCON. The protection of sensitive data and the integrity of systems are decisive for business success and the trust of employees, customers and partners. EXCON has therefore implemented a large number of measures to ensure information security:

Technical measures: Regular updating and monitoring of the IT infrastructure, implementation of firewalls, intrusion detection and prevention systems (IDPS), encryption of sensitive data and use of anti-malware programs.
Organizational measures: Implementation of an ISO 27001-compliant Information Security Management System (ISMS), regular employee training, strict access controls, and regular security reviews and audits.
Incident response protocols: A clearly defined protocol enables quick and effective responses to security incidents, including identification, containment, remediation, and subsequent analysis.

Management plays a critical role in ensuring information security. It sets the strategic priorities, provides the necessary resources and promotes a security culture throughout the company. EXCON not only follows standards such as ISO 27001 and GDPR, but also develops company-specific guidelines that are tailored to specific requirements.

Expert Interview on Information Security with IT Manager Markus Heiß

As an expert in information security and head of IT at EXCON, Markus Heiß gave us a deeper insight into the practical side of things in an interview. The interview focused on the challenges for the company and the experiences made in the area of information security.

What challenges do you see for the future in the area of information security?

Markus Heiß: One of the biggest challenges is the constantly evolving threat landscape. Cyber criminals are becoming more and more sophisticated and it is a constant challenge to stay one step ahead of them. In addition, the increasing interconnectedness and digitization pose additional risks that need to be managed.

How important is it for EXCON to comply with legal regulations and standards in the area of information security?

Markus Heiß: Compliance with legal regulations and standards has the highest priority for us. This not only helps us to avoid legal and financial consequences, but also and above all strengthens the trust of our customers and partners.

Which measures are particularly important for your security strategy?

Markus Heiß: It is important to continuously review and adapt both technical and organizational measures. For example, in recent years we have continuously expanded our monitoring systems and introduced stricter access controls. We have also intensified our cooperation with external security experts to ensure that we are always informed about the latest threats and defensive measures.

What long-term changes are you making to meet today's information security requirements?

Markus Heiß: In the long term, we have established a culture of continuous improvement. We hold regular lessons-learned workshops to learn from every situation and continuously develop our security strategy. In addition, the role of an Information Security Officer (ISO) in our corporate structure is crucial to embedding information security at the highest level.

How do you assess the risk of insider threats for companies and what steps has EXCON taken to protect itself?

Markus Heiß: Insider threats are security risks that originate from individuals within an organization. These threats come from current or former employees, contractors or business partners. They represent a significant risk for every company because they are often difficult to detect. We minimize this risk through strict access controls, regular employee screening and training, and the use of monitoring systems that detect unusual behavior.

10 Information Security Trends

Information security will continue to be a challenge for organizations as new and changing requirements emerge. Trends must always be kept in mind and recognized at an early stage. EXCON IT Manager Markus Heiß has summarized the most important trends for us.

Increasing complexity of cyber threats: The threat landscape is becoming more complex and sophisticated. Cybercriminals are increasingly using artificial intelligence and machine learning to automate and refine their attacks. Organizations must constantly evolve and modernize their security posture to counter these new threats.
Cloud security and hybrid work models: With the increased use of cloud services and the shift to hybrid work models where employees work both in the office and remotely, organizations are facing new security challenges. It is increasingly important to implement robust security measures that ensure secure access to cloud resources and protect remote workstations.
Zero Trust Security: The Zero Trust model is gaining momentum. It is based on the principle of "never trust, always verify" and requires strict authentication and authorization processes for all access to corporate resources. Implementing Zero Trust requires a major overhaul of existing security architectures and is a significant challenge.
Expanded regulatory and compliance requirements: Regulatory requirements for data privacy and information security will continue to increase. Organizations must prepare for stricter compliance with data protection laws, such as GDPR, and new regulations, such as the Digital Operational Resilience Act (DORA). This will require continuous adaptation and review of compliance measures.
Artificial intelligence and automation in cybersecurity: Artificial intelligence and automation will play an increasingly important role in cybersecurity. They can help detect and respond to threats more quickly. At the same time, organizations must ensure that their AI systems are secure and reliable so as not to create additional risks.
Protecting IoT Devices and Industrial Control Systems: As Internet of Things (IoT) devices and industrial control systems (ICS) become more connected, the risk of cyberattacks on these systems increases. Organizations must develop specific security measures to protect these devices and systems from attack.
Cyber Resilience and Disaster Recovery: The ability to recover quickly from cyberattacks is becoming increasingly important. Organizations must regularly test and update their disaster recovery plans and processes to ensure they can respond quickly and effectively in the event of an emergency.
Employee training and awareness: Human error remains one of the greatest vulnerabilities in information security. It is increasingly important to implement ongoing employee training and awareness programs to raise awareness of security threats and promote best practices.
Privacy and data sovereignty: Privacy will remain a key issue. Consumers and governments are demanding greater control over personal data. Companies must be transparent and responsible with data and develop innovative solutions to protect privacy.
Collaboration and Information Sharing: Collaboration and information sharing between companies, industries and governments will be critical to effectively combat cyber threats. Joint initiatives and networks to analyze and defend against threats will become increasingly important.

Preparation & Key Requirements of DORA

The Digital Operational Resilience Act (DORA) is very important in light of the increasing challenges and complexities of information security outlined above. It establishes common standards and requirements for digital resilience that apply across the EU. This will help minimize the risk of cyber-attacks and IT failures and ensure the stability of the financial system. DORA also protects the interests of customers and promotes trust in the financial sector. As a software company and service provider in the financial sector, the regulation also applies to EXCON. For this reason, the DORA standards for third-party providers apply to us from the very beginning. But where does a company start with the implementation of the regulation and what are the most important key requirements? We will answer these questions in the following sections:

How should companies prepare for DORA implementation?

Companies should prepare extensively for the implementation of DORA. The first step in preparation is a GAP analysis. This will identify where existing processes and systems do not meet the DORA requirements. This is followed by training and employee awareness of the new requirements and best practices in IT risk management. This is followed by process optimization, which ensures that IT and security processes are adapted and optimized in accordance with the DORA regulations. Decisions will then be made on possible investments in advanced security and monitoring technologies. In addition, all third-party providers of critical IT services must also be DORA-compliant. This must be verified.

What are the key requirements of DORA?

IT risk management: Financial firms must have robust systems and processes in place to identify, assess and manage IT risks.
Incident reporting: Firms must quickly report and document cyber incidents and IT disruptions.
Security audits: Regular security audits and assessments are required to identify and remediate vulnerabilities.
Third-party risk management: Organizations must ensure that third-party vendors providing IT services also comply with DORA standards.
Security monitoring: Continuous monitoring of IT infrastructure for early detection of threats and anomalies.

The steps and key aspects of the regulation outlined above create numerous new processes, obligations and complexities for financial firms. Compliance with the DORA regulations requires continuous monitoring and adaptation of security measures until the effective date of January 17, 2025. Depending on the status quo, the diverse and detailed requirements will require a comprehensive overhaul of the existing IT and security infrastructure. Third-party vendor management will require cross-enterprise coordination, collaboration, and data collection to provide the necessary visibility.

In order to strengthen digital resilience and achieve long-term success, the focus is once again on continuously evolving security measures and actively addressing the new challenges facing financial firms and third-party service providers.

Practical tip: Audit your third party providers with ex:plore

Do your partners and service providers comply with the DORA requirements? Where is there a need for optimization and where should contracts be tightened? With the audit software ex:plore you can answer these questions company-wide.

Contract Management and Audits

A central, easily accessible and searchable database allows you to store and manage all contracts with third parties. This makes centralized management much easier. To support contract audits, the audit software ensures that all relevant DORA requirements and security measures are included in the contracts.

Compliance and Reporting

Using compliance questionnaires, financial institutions can verify that third-party vendors meet all relevant DORA compliance requirements. In addition, real-time reports and dashboards are generated on the results to visualize the status of compliance measures at any time.

Incident Management

Incident tracking is performed by manually entering and tracking third-party security incidents. Automatic follow-up actions are defined within the audit software and tracked at all times. ex:plore also supports the manual review and management of third-party contingency plans to ensure their readiness to deal with business disruptions.

Audit Trails and Documentation

Audit trails are ensured by documenting all interactions and reviews with third parties to create a traceable history. Centralized storage of all relevant documents, such as audit reports, risk analyses, and proof of compliance, enables effective documentation management.

Do you have further questions regarding the use of ex:plore for your third party management? Please do not hesitate to contact us.

Good to know:

What is Operational Resilience?

Operational resilience is the ability of an organization to continue its critical business processes and services in the face of adverse circumstances and disruptions. It includes planning, preparing for, and responding to cyber-attacks, natural disasters, technical failures, and other unforeseen events. The goal is to minimize the impact of such incidents and ensure business continuity.

Examples of operational resilience in the financial sector include

Cyber attacks: Banks implement cybersecurity measures such as firewalls, IDS, and contingency plans to quickly restore systems.
Natural disasters: Investment firms use geographically dispersed data centers and data replication to ensure uninterrupted operations.
Technical failures: Redundant systems and disaster recovery plans ensure rapid restoration of online banking services.
Pandemics: Insurance companies rely on remote work infrastructures with secure VPN access and collaboration tools.
Third-party provider outages: Banks have alternative providers or on-premises solutions in place to continue services.
Regulatory changes: Financial institutions adapt quickly to new regulations with flexible IT architecture and agile project management.