Privacy Please
Tune into "Privacy Please," where hosts Cam and Gabe engage with privacy and security professionals around the planet. They bring expert insights to the table and break down complicated tech stuff everyone can understand.
Privacy Please
S5, E224 - The Impact of European Cyber Regulations on Global Finance
What if a simple app failure could trigger chaos across the financial world? Explore the vital safeguards of Europe's Digital Operational Resilience Act (DORA) with host Gabe Gumbs on Privacy Please. This episode goes into how DORA is transforming digital infrastructure to withstand the onslaught of cyber threats like ransomware, ensuring that your access to financial services remains seamless and uninterrupted. From banks to tech providers, discover the global ripple effects of this European regulation that extends its reach to American firms intertwined with the EU financial sector.
Welcome to another episode of Privacy Pleased, where we break down complicated tech stuff into bits everyone can understand. I'm your host, gabe Gumbs, and today we're talking about something pretty important. Dora no, not the Explorer. We're talking about Europe's new Digital Operation Resiliency Act. Now I know what you're thinking Great, another boring regulation. Those Europeans sure do like their digital regulation with their GDPR. Now, stick with me, just hang in there, right? Because this one's actually pretty interesting.
Speaker 1:So let me start with just a real easy question. You ever try, using your banking application, logging in phone, online. Whatever wasn't working. Yeah, pretty frustrating, right?
Speaker 1:How long would it take for panic to set in if enough people were affected? What do you think? 30 minutes an hour, two days? Now think about outages caused by things like ransomware. 22 days, that's the average. What would that do to critical infrastructure like banks? Well, that's exactly what Doar is trying to prevent. Think of it as a rule book that makes sure banks and financial companies they keep their computer systems super durable and reliable.
Speaker 1:Again, ransomware an absolute plague on society, and its number one impact is availability. Taking your business offline is the leverage to make sure you pay up. Banks are getting attacked more than ever before, and almost everything we do with our cash these days is online, right? Some cash banks, we say back in Brooklyn, whether you're paying your bills, checking your accounts, sending money, just all of our I don't even know when's the last time you've held a significant amount of actual cash in your hand. I think for most of us that's not really a thing. I don't really walk around with a lot of actual cash. It's all digital these days. It's all being done through computers and I think most of us are very comfortable with that. I think most of us are comfortable that if the systems have an issue, that the banks will resolve it. But Dora goes further than that. Dora is meant to make sure that the systems are always there, always available, that you always can have access to your money. So if a bank's computers crash or get hacked, it's not just annoying, that's going to be a disaster for a lot of people.
Speaker 1:Now here's where it gets extra interesting, right? So since DORA is a European rule, you might think it only affects European countries, european companies. But not too dissimilar at all from GDPR. That arm is pretty large. Europe is a significant part of the global economy, as much as the global banking system, and so here's the scoop. So, first off, in Europe, it affects all banks, that's right, all banks. It affects all insurance companies. It affects all banks, that's right, all banks. It affects all insurance companies, all investment firms and any companies that provide technology services to those financial companies. So if you provide technology services to a bank, an insurance company, investment firm in the EU and it is part of that critical infrastructure, that means that door is going to affect you as well. It's interesting too, though, right? So a little bit of a twist, it affects a lot of American companies in that way. And so if you're an American bank with offices in Europe, yep, those offices, they're going to need a follow door. If you're an American tech company helping European banks with their computer systems, got it. You gotta follow Dora too, right? And so it's got a pretty wide reach.
Speaker 1:And the next obvious question is well, what in the world do I need to do to make sure I'm compliant with Dora? And there's? This is very much just an introduction to the topic, so you know, for more detailed prescriptive information we'll get into that in some future episodes We'll bring some guests on. We wanted to just get that topic out there. So there's really four main rules that companies need to follow. The first one is you got to find and fix your problems early. Pretty straightforward, right. So prioritization of the issues that affect that operational resilience of your systems Hell, even better if those systems self-heal themselves, right, like great Problem found and fixed all on its own. You got to report those problems quickly. That's the second big rule. So the first big rule is you got to find and fix those problems. Second one is you got to report those problems quickly. So if something goes wrong, you have to tell the authorities right away.
Speaker 1:No keeping secrets. A lot of times when breaches occur, it could be weeks, it could be months before that information is shared while they're doing air quotes. Root cause analysis, right? Well, when there's an operational outage, when something's out, that knowledge is immediate, like everyone knows it. When a business gets hacked, everyone might not know it. It might be weeks or months before you even knew that. You know company A or B or whatever. It might only be when you get that notice in the mail saying hey, your data was leaked, that you even knew that that company was hacked. But when your bank is unable, when you aren't able to log into it, everyone knows that. So you've got to report right away what's going on, and no more of this. We'll tell you once we think we know all the things right.
Speaker 1:Third rule we covered this a little bit already, but you've got to make sure that your partners are safe. So if your suppliers are part of your critical operations, they're going to need to be checked as well. And then, number four, you've got to practice emergency plans. Practice them. I love that. That's part of the regulation. So, a, you're going to need a business continuity and disaster recovery plan God forbid. If you don't already have one, you're going to need one. And B, you're not just going to have to have it, you're going to have to test it, just like fire drills at school, you're going to have to practice handling these emergencies. You have to be prepared for when it happens. It should go without saying that just having a response playbook that you've never once exercised is not going to serve a lot of value if the first time you try to go through these exercises is during a live fire exercise, during when it's actually happening to you.
Speaker 1:But here's some other interesting things, right? So some American companies are choosing to follow those rules, even if they don't have to, even if they're not within scope. It might just be that they recognize the good hygiene for what it is, which, quite honestly, it literally is. But let's be honest, we're not that far off from these rules hitting our shore in the exact same way. They are there and around us to a large degree, because American banking infrastructure has already been deemed critical infrastructure, but we don't have a federal regulation like Dora. It's not at the federal level, right? You've got things like NYCR 500 out of New York that has some provisions around things like this. It's mostly focused on security, though, but again, I would always argue that security being the combination of confidentiality, integrity and availability, that those types of things should have already been codified into both what we do and to the technologies we build and into the rules that we follow.
Speaker 1:But companies might want to follow DORA, if one. If you want to work with other European companies someday, then you're going to want to follow DORA. It's going to become similar to SOC 2 processes, where you have to demonstrate your security capabilities. You're going to have to demonstrate your resiliency capabilities as well. If you have partners and customers in Europe, yeah, you might want to follow DORA. If you just want to stay competitive globally, you're probably going to want to follow DORA, even if you're outside of Scud, right? Or if, again, you're just simply looking for good security practice. So DORA was officially adopted back in November 2022.
Speaker 1:I don't think we talked about it much on this show Maybe not at all, if I'm being transparent and so it's been a couple of years for folks to prepare but it goes into effect on January 17th 2025. So not that long from now, and by that date, all entities within scope of DORA, including financial institutions and critical third parties operating in the EU, are going to have to be fully compliant with its requirements. Now, there it is. There you have it, folks. Dora might sound complicated, but it's really just about making financial systems unbreakable and, whether you're in Europe, america or anywhere else, these rules are really going to help shape the future of everyone's digital currency. That's all for today's episode of Privacy, please. Please, remember to like, subscribe and share if you found this helpful. Until next time, gabe Gumbs.