DORA, ISO/IEC 27005, and the Rise of AI: Securing the Future of Cybersecurity
In an era where digital transformation is inevitable, the cybersecurity landscape is constantly evolving. This article delves into key topics discussed in our recent webinar, including the Digital Operational Resilience Act (DORA) and its implications, the ISO/IEC 27005 framework for risk management in information security, and how leveraging artificial intelligence can enhance cybersecurity measures.
In the article below, the speakers, Geoffrey L. Taylor and Martin Tully, address some questions on the topic:
Q: If an organization outside the EU does business with a financial institution within the EU, is it mandatory for both parties to comply with DORA?
A: The organization based in the EU would be subject to DORA compliance. The Digital Operational Resilience Act (DORA) primarily applies to financial institutions and critical third-party service providers within the EU. While an organization outside the EU is not directly required to comply with DORA, it must adhere to DORA requirements when interacting with its EU-based counterpart. This means that the non-EU organization would need to align its practices to meet the operational resilience standards mandated by DORA to ensure the EU financial institution remains compliant
Q: Is there a specific risk management framework you recommend?
A: We suggest that the organization determine the most suitable framework based on its size, complexity, and maturity.
Q: Since DORA is an EU regulation, is there a comparable regulation for development in the US (either at the federal or state level)?
In the US, there is a similar document titled “Interagency Paper on Sound Practices to Strengthen Operational Resilience,” available here: The Fed – SR 20-24: Interagency Paper on Sound Practices to Strengthen Operational Resilience.
Q: Does DORA provide any recommendations on establishing KPIs to monitor and measure the performance of the incident management process?
A: Yes, DORA requires organizations to establish Key Performance Indicators (KPIs) to monitor and measure the performance of their incident management process.
Specifically, DORA mandates that organizations measure the duration of incidents, from the time they occur to their resolution. Additionally, organizations must track service downtime to ensure a comprehensive understanding of the incident’s impact on operations. These metrics help ensure timely incident response and recovery, enhancing the organization’s overall operational resilience.
Q: What impact might there be for PCI-compliant organizations in achieving DORA compliance?
A: PCI and DORA should be approached as distinct entities—one a standard and the other legislation. It’s probable that a PCI-compliant organization will also need to adhere to DORA requirements. Consequently, they may already have in place a comparable set of controls that overlap between the two sets of requirements.
Q: Who is the competent authority to report to under DORA? What about countries that don’t have such an authority established?
A: The competent authority to report to under DORA is determined by each EU member state, and each member state must establish a designated authority for DORA enforcement. For example, in Denmark, the Danish Financial Supervisory Authority (FSA) has been delegated this responsibility. In countries that have not yet established a specific authority, organizations should follow interim guidelines provided by their national regulatory bodies until a designated authority is officially established.
Q: What is the disparity between ISO/IEC 27005 and DORA, and could you elaborate on this difference?
A: ISO/IEC 27005 is an international, non-certifiable standard, distinct from ISO/IEC 27001. It offers guidance on managing information security risks but is descriptive rather than prescriptive. On the other hand, DORA is an EU regulation, which provides specific directives rather than guidance, outlining mandatory requirements for compliance.
Q: If an organization implements ISO/IEC 27001, would it be easy to comply with DORA? How relevant are both, and what are the differences?
A: There is no straightforward answer to this question. Implementing ISO 27001, which establishes an Information Security Management System (ISMS), can enhance an organization’s ability to comply with DORA, as both frameworks share a focus on robust risk management and security practices. However, ISO 27001 compliance does not automatically guarantee DORA compliance. An organization must assess whether its existing ISMS fully meets DORA requirements or if additional measures are needed. While ISO 27001 provides a solid foundation for information security, DORA includes specific operational resilience and incident management requirements that may necessitate further actions to ensure full compliance.
Q: Does DORA affect Electronic Money Institutions (EMIs) conducting transactions on digital platforms, akin to electronic banks?
A: DORA applies to over 22,000 financial entities and ICT service providers within the EU, as well as those outside the EU supporting EU operations. While the legislation is undergoing review, EMIs operating within the EU or supporting activities in EU jurisdictions are likely to be impacted by DORA. This means that if an EMI operates within the EU or facilitates transactions involving EU jurisdictions, it falls under the purview of DORA and must adhere to its regulations.
Q: If you are outsourcing an AI service, will AI legislation still affect you?
A: Yes, if an organization is providing an AI service to an entity that falls under the scope of DORA, the AI legislation may affect you directly or indirectly. Even if the organization itself is not directly regulated by DORA, it must ensure that its AI services comply with the necessary standards and requirements to support the compliance obligations of the DORA-regulated entity it serves. This means aligning your AI service practices with the operational resilience and risk management expectations set forth by DORA.
Q: In the context of third-party risk assessment, is it always Company A assessing Company B, or can Company B conduct a Vendor Risk Assessment (VRA)?
A: Yes, Company B can conduct a Vendor Risk Assessment (VRA) of their third party, referred to as ‘fourth parties’ (e.g., Company C). If Company B performs the VRA according to DORA requirements, it ensures that both Company B and its third-party vendors (Company C) are meeting the necessary standards.
This creates a clear ‘line of sight’ for Company A, demonstrating compliance through the entire supply chain, from Company A to Company B and down to Company C. This layered approach helps maintain comprehensive risk management and operational resilience in accordance with DORA.
Q: What techniques can effectively convey the consequences of an AI system attack to organizations?
A: An effective method is to perform a risk assessment focused on AI systems.
To communicate the potential consequences, use a Business Impact Assessment (BIA) that outlines the impact on the business as a whole. This BIA should cover financial losses, operational disruptions, and reputational damage.
Presenting the risks in this comprehensive manner helps stakeholders understand the severity and breadth of the potential impacts, making it easier to take necessary precautions.
Q: Can ISO/IEC 27005 be integrated with ISO 31000:2018, especially for ICT/IT-related risks?
A: Absolutely. These frameworks are intrinsically linked within ISO. ISO 31000 builds on the risk assessment framework described in ISO/IEC 27005 but provides a more comprehensive approach. It covers identifying, analyzing, evaluating, treating, monitoring, and communicating risks across the entire organization. Integrating them allows for a robust and holistic risk management strategy, particularly for ICT/IT-related risks.
Q: How would you define criticality in terms of scoping systems?
A: Criticality can be defined by establishing specific parameters and asking the right questions when scoping systems. Consider whether the system is safety-critical, mission-critical, business-critical, or security-critical. For instance, security-critical systems typically store, process, or manage sensitive information and require high resilience and availability. By identifying the role and importance of each system in these categories, organizations can prioritize their resources and risk management efforts effectively.
Q: Will providers outside the EU need to be concerned about DORA conformity?
A: Yes, providers outside the EU should be concerned about DORA conformity if they conduct business with financial entities within the EU or supply services to such entities. These organizations need to determine if they fall within the scope of DORA and to what extent. Compliance may be necessary to ensure that their EU-based partners or clients can meet their regulatory obligations under DORA.
Q: During the webinar, it was mentioned that AI can be included in security controls applied by third parties. Could you provide an example?
A: Not all security controls can be efficiently managed by AI, such as Segregation of Duties (SoD). However, AI controls are most effective where there is a significant amount of data to analyze. For instance, AI can be used to identify anomalous data, whether in data extraction processes or detecting unusual activities. This allows for quicker identification of potential security threats compared to traditional methods.