Yakir Golan is CEO of Kovrr, a cyber risk modelling company that uses AI to predict and price cyber risk.

As the unique level of cyber risk the financial sector faces becomes all the more apparent, regulators are increasingly adopting measures to proactively mitigate the resounding impact a cyber incident has the potential to cause. One such measure is the European Union’s Digital Operational Resilience Act (DORA), which mandates that financial institutions adhere to a myriad of new practices related to information and communications technology (ICT) risk management.

Although DORA was entered into force two years ago, in 2023, it will be officially applied this month on 17 January. At that point, organisations must be fully prepared to meet the legislation’s stringent obligations laid out in a series of 64 Articles or face the legal consequences.

Achieving compliance, however, is far more intensive than merely updating a few internal policies. Instead, organisational stakeholders must soon be able to gather, analyse, and document an immense amount of data to make highly strategic decisions and govern the business according to both the legislation’s demands and broader operational goals.

Cyber risk management under DORA

This challenge has sent executives in search of advanced cyber risk management solutions, ones that can not only streamline processes but help to bridge the gap that commonly exists between themselves and complex cyber matters. While the market has no shortage of valuable cybersecurity tools, one that stands out as particularly valuable in this context is on-demand cyber risk quantification (CRQ).

CRQ platforms help stakeholders thoroughly assess their organisation’s cyber risk exposure and subsequently translate the results into clear, measurable outcomes, such as event likelihoods and respective financial impact. Then, with a shared understanding of their organization’s cyber risk, all responsible parties can more easily align their efforts and fulfill DORA compliance expectations.

Article 5 of DORA, for instance, stipulates that management bodies of financial entities set and approve the “digital resilience strategy… including the determination of appropriate risk tolerance level,” or the degree of risk to which a business is willing to accept in pursuit of its mission. However, to adequately calculate these levels, stakeholders first need to know their unique susceptibility to digital threats, the monetary implications, and the organisation’s ability to absorb the damage.

How well do you really know your competitors? Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge. View profiles in store Company Profile – free sample Thank you! Your download email will arrive shortly Not ready to buy yet? Download a free sample We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form By GlobalData Submit Country * UK USA Afghanistan Åland Islands Albania Algeria American Samoa Andorra Angola Anguilla Antarctica Antigua and Barbuda Argentina Armenia Aruba Australia Austria Azerbaijan Bahamas Bahrain Bangladesh Barbados Belarus Belgium Belize Benin Bermuda Bhutan Bolivia Bonaire, Sint Eustatius and Saba Bosnia and Herzegovina Botswana Bouvet Island Brazil British Indian Ocean Territory Brunei Darussalam Bulgaria Burkina Faso Burundi Cambodia Cameroon Canada Cape Verde Cayman Islands Central African Republic Chad Chile China Christmas Island Cocos Islands Colombia Comoros Congo Democratic Republic of the Congo Cook Islands Costa Rica Côte d"Ivoire Croatia Cuba Curaçao Cyprus Czech Republic Denmark Djibouti Dominica Dominican Republic Ecuador Egypt El Salvador Equatorial Guinea Eritrea Estonia Ethiopia Falkland Islands Faroe Islands Fiji Finland France French Guiana French Polynesia French Southern Territories Gabon Gambia Georgia Germany Ghana Gibraltar Greece Greenland Grenada Guadeloupe Guam Guatemala Guernsey Guinea Guinea-Bissau Guyana Haiti Heard Island and McDonald Islands Holy See Honduras Hong Kong Hungary Iceland India Indonesia Iran Iraq Ireland Isle of Man Israel Italy Jamaica Japan Jersey Jordan Kazakhstan Kenya Kiribati North Korea South Korea Kuwait Kyrgyzstan Lao Latvia Lebanon Lesotho Liberia Libyan Arab Jamahiriya Liechtenstein Lithuania Luxembourg Macao Macedonia, The Former Yugoslav Republic of Madagascar Malawi Malaysia Maldives Mali Malta Marshall Islands Martinique Mauritania Mauritius Mayotte Mexico Micronesia Moldova Monaco Mongolia Montenegro Montserrat Morocco Mozambique Myanmar Namibia Nauru Nepal Netherlands New Caledonia New Zealand Nicaragua Niger Nigeria Niue Norfolk Island Northern Mariana Islands Norway Oman Pakistan Palau Palestinian Territory Panama Papua New Guinea Paraguay Peru Philippines Pitcairn Poland Portugal Puerto Rico Qatar Réunion Romania Russian Federation Rwanda Saint Helena, Ascension and Tristan da Cunha Saint Kitts and Nevis Saint Lucia Saint Pierre and Miquelon Saint Vincent and The Grenadines Samoa San Marino Sao Tome and Principe Saudi Arabia Senegal Serbia Seychelles Sierra Leone Singapore Slovakia Slovenia Solomon Islands Somalia South Africa South Georgia and The South Sandwich Islands Spain Sri Lanka Sudan Suriname Svalbard and Jan Mayen Swaziland Sweden Switzerland Syrian Arab Republic Taiwan Tajikistan Tanzania Thailand Timor-Leste Togo Tokelau Tonga Trinidad and Tobago Tunisia Turkey Turkmenistan Turks and Caicos Islands Tuvalu Uganda Ukraine United Arab Emirates US Minor Outlying Islands Uruguay Uzbekistan Vanuatu Venezuela Vietnam British Virgin Islands US Virgin Islands Wallis and Futuna Western Sahara Yemen Zambia Zimbabwe Kosovo Industry * Academia & Education Aerospace, Defense & Security Agriculture Asset Management Automotive Banking & Payments Chemicals Construction Consumer Foodservice Government, trade bodies and NGOs Health & Fitness Hospitals & Healthcare HR, Staffing & Recruitment Insurance Investment Banking Legal Services Management Consulting Marketing & Advertising Media & Publishing Medical Devices Mining Oil & Gas Packaging Pharmaceuticals Power & Utilities Private Equity Real Estate Retail Sport Technology Telecom Transportation & Logistics Travel, Tourism & Hospitality Venture Capital Tick here to opt out of curated industry news, reports, and event updates from Verdict. Submit and download Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

Indeed, determining relevant risk appetite and tolerance thresholds serves as the basis for building out any robust cyber risk management strategy, as the majority of subsequent decisions, ranging from resource allocation to incident response planning, will be anchored to these benchmarks. CRQ facilitates this process by offering a range of possible loss scenarios for the upcoming year and their respective likelihoods, enabling management to make such data-driven decisions.

DORA’s Article 6 likewise lays out a series of provisions that can be more easily adhered to with tools like on-demand CRQ. For example, on top of establishing a robust ICT risk management framework, entities must be able to explain “how [the framework] supports [their] business strategy and objectives.” In other words, managers have to demonstrate that risk management strategies enable broader growth and stability.

Objective CRQ insights – such as the potential reduction of financial risk a security control upgrade can have or the ROI of a new initiative – can highlight how investing in cybersecurity contributes to a company’s economic prosperity. Other quantified metrics like total data record loss and outage time duration of an average cyber event are similarly crucial for illustrating how a strategy is working to better align with overall risk appetite.

Vendor evaluations are critical under DORA

Beyond demanding internal assessments, DORA also explicitly acknowledges the role that external vendors play in the financial sector’s risk landscape, requiring entities to comprehensively evaluate any third-party ICT provider they wish to work with. Article 28 emphasises the necessity of these evaluations prior to any formal engagement, ensuring that organizations can fully account for any additional risk such partnerships would entail.

Among their capabilities, CRQ platforms can also calculate the costs associated with third-party service providers and the specific technologies they offer, allowing stakeholders to quantify the financial impact of the association. Leveraging this data, organizations can decide whether to proceed or explore alternative providers and solutions while also obtaining a robust rationale for compliance purposes.

With IBM’s annual report finding that the average cost of a data breach in the financial sector in 2024 amounted to $6.08m, it’s plain that DORA is a much-needed regulation that’s going to bolster the cyber resilience of the global marketplace. However, organisations must quickly harness new solutions that can help them navigate these new requirements. While gathering, analysing, and reporting the necessary information will be no easy feat, those who rise to the challenge will set themselves up for long-term market success.