The financial sector is undergoing a profound transformation, driven by digital innovation and increasingly sophisticated cyber threats. Against this backdrop, the European Commission introduced the Digital Finance Package in September 2020, culminating in the Digital Operational Resilience Act (DORA). This landmark regulation establishes a comprehensive framework for managing ICT-related risks, emphasising operational resilience, incident reporting, and third-party oversight.
While DORA’s focus on external cybersecurity threats is well-known, its implications for managing insider risks, deliberate or accidental, are equally critical. Insider risks have the potential to undermine operational resilience, disrupt services, and erode stakeholder trust. In this article, we highlight the key aspects of DORA compliance through the lens of insider risk management.
Insider risks, whether from employees, contractors, or third-party providers, pose unique challenges. To thrive under DORA’s mandates, we believe organisations like yours must adopt a comprehensive approach that integrates robust cybersecurity governance, proactive risk management, and a keen focus on internal vulnerabilities. By addressing insider risks, you can safeguard sensitive assets, ensure operational continuity, and build digital trust.
This article explores how managing insider risks is pivotal for DORA compliance and offers 7 actionable strategies to help you mitigate these risks.
Under DORA, strong governance is paramount. We believe that effective governance frameworks must go beyond traditional external threat mitigation and incorporate insider risk as a core component. Insider risks, like for example espionage, data theft or sabotage often arise from governance deficiencies such as unclarity on responsibilities around identifying insider risk, but also on the implementation of countermeasures like access controls or unclear and dispersed reporting mechanisms for reporting incidents. By establishing governance structures that explicitly define roles and responsibilities for managing insider risks, you can strengthen your organisation’s defences.
In addition, board-level accountability is crucial under DORA. Your board should oversee the creation and execution of policies tailored to address insider risks. This includes frameworks for monitoring, detecting, and reporting incidents. Regular updates on insider risk incidents should be presented to your board to ensure data-driven decision-making. These steps will help you foster a security-conscious culture where every layer of the organisation is aligned in managing insider risks.
While external cyber threats often dominate focus, insider risks must also be systematically identified and addressed. This requires a comprehensive understanding of potential vulnerabilities that insiders might exploit. As an important part of detecting threats in an early stage, we recommend advanced and well-configured monitoring tools that can detect unusual patterns in employee activities, such as unauthorised data access or unexpected downloads.
In addition, you should integrate insider risk scenarios into your regular incident response drills. This will ensure your teams are prepared to address threats stemming from internal actors, whether accidental or malicious. Cross-departmental collaboration between Management, HR, IT, and Cybersecurity teams will enhance your ability to identify warning signs early and mitigate risks before they manifest & escalate.
In today’s interconnected financial sector, reliance on third-party ICT providers introduces another layer of insider risk. These risks stem from vulnerabilities in third-party systems or personnel that could be exploited to target your organisation. To address this, we advise thorough vetting of third-party providers, including security assessments and background checks.
Contractual safeguards should require providers to adhere to robust insider risk management practices, including employee training and strict access controls. Continuous monitoring of third-party compliance ensures that risks are mitigated throughout the relationship. Furthermore, maintaining a comprehensive register of critical third-party providers, as mandated by DORA, enhances oversight and accountability.
DORA emphasises resilience, and this extends to recovering from insider-driven disruptions. You must ensure robust mechanisms are in place to address incidents such as sabotage or data theft. Frequent backups of critical systems and data can mitigate the impact of such incidents, ensuring operational continuity.
Resilience also requires the ability to investigate insider incidents thoroughly. By investing in forensic tools, procedures and expertise, you can pinpoint root causes and implement preventative measures. Incorporating insider threat scenarios into resilience testing allows you to identify vulnerabilities and refine your recovery strategies.
DORA requires organisations like yours to report major ICT-related incidents promptly. However, insider-driven incidents often go unreported due to insufficient detection mechanisms & unclear reporting protocols. To address this, you should establish clear guidelines for identifying and reporting insider incidents, ensuring compliance with DORA’s timelines. In addition, awareness on what is considered as an insider incident, but also signals of suspicious behaviour should be created and incorporated in your security awareness programme.
Furthermore, real-time monitoring systems can help flag insider activities that meet DORA’s reporting criteria. Transparent communication with clients and regulators about insider incidents and corrective actions taken further strengthens trust and accountability.
Operational resilience testing is a cornerstone of DORA compliance. Your testing must include scenarios that simulate insider threats, such as compromised credentials or rogue administrators. These exercises help identify gaps in your defences and adapt strategies to evolving threats.
Engaging external experts for independent assessments of insider risk management practices can provide valuable insights and recommendations. Regularly updating testing protocols ensures that you remain prepared to address new and emerging insider risk scenarios effectively.
DORA encourages information sharing across financial entities and regulatory bodies to enhance collective resilience. Collaboration is vital in addressing insider risks effectively. You can benefit from sharing insights on trends, mitigation strategies, and best practices for insider risk management.
Proactive engagement with European Supervisory Authorities ensures that your insider risk management practices align with regulatory expectations. Additionally, establishing channels for sharing insider threat intelligence helps you identify common vulnerabilities and strengthen defences collectively.
Insider risks are an integral part of achieving and maintaining DORA compliance. By integrating insider risk management into your resilience strategies, you not only meet regulatory requirements but also enhance overall resilience, protect sensitive assets, and maintain trust in an increasingly digital financial landscape.
Signpost Six guides organisations within financial services in their journey towards DORA compliance from the perspective of insider risk management. Therefore, we make use of our proprietary insider risk control framework that leverages our expertise from hundreds of clients and integrates best practices and established frameworks, making it the first of its kind in the market. Its uniqueness lies in its holistic approach, covering nine comprehensive domains of insider risk.