How DORA is set to enhance digital resilience

Kees Stammes of Securify: "DORA is absolutely necessary."

The Digital Operations Resilience Act (DORA), which comes into effect on January 17, 2025, aims to enhance the resilience of the financial world against potential cyber attacks. This is structured around five pillars, with ‘Digital Operational Resilience Testing’ posing significant challenges for many businesses. Kees Stammes, Managing Director of Securify, further elaborates on this in the following article.

The pentest, or penetration test, is a common term in the industry, referring to an annual test where an ethical hacker attempts to breach your systems. However, DORA, along with Kees, believes that once a year is no longer sufficient. “The classic annual pentest no longer meets the requirements of today. We live in an era of continuous innovation, where organizations and hackers alike continue to evolve. The likelihood and impact of a security incident have increased significantly over the past 10 years. These changes cannot be adequately addressed with an annual pentest. Therefore, DORA measures require organizations to have a test strategy based on these current risks. A game-changer for small and medium-sized organizations in the financial sector.”

"Legislation on cybersecurity is lagging far behind other regulations"

Mixed feelings on DORA

Initially, DORA may evoke pessimism. It increases bureaucracy and introduces more obligations. Moreover, it requires time, money, and effort as companies are expected to maintain their operations diligently. Companies are now required to conduct an annual risk assessment, map supplier risks, share incidents and cyber threats, and establish a testing strategy. However, it also enhances the digital resilience of financial organizations. Currently, news reports of organizations being plagued by cyber attacks and data breaches are published weekly. “Legislation on cybersecurity is lagging far behind other regulations,” says Kees. “Look at all the restrictions and controls in the pharmaceutical industry, for example. You can’t imagine medications being released without being tested first. Medication should work without you having to worry about your safety. The same expectation applies to the use of hardware and software.”

Different risk profiles call for different testing strategies

A significant part of DORA is the development of the IT Risk Management Framework. It is essential for organizations to identify which interests need protection. As this varies for each organization, it results in a unique risk profile. For an InsurTech company, exploiting a widely used app may be the greatest risk, while a traditional insurer may have a broader range of risks throughout the organization. Therefore, organizations must develop a testing strategy based on the interests to be protected for their own organization. Securify advises building a testing strategy based on four levels: code level, application level, infrastructure level, and organization level. A test strategy is often built based on a Security Gap Analysis. This provides organizations with insight into their security posture with the help of an external party. Concrete improvement points and a roadmap, including a testing strategy, follow from this. With a Security Gap Analysis, organizations quickly gain insight into their own resilience and potential attack paths by malicious actors. “The first step with new clients is often a Security Gap Analysis. We can help because we look at organizations from an attacker’s perspective. Additionally, we have the threat intelligence necessary to provide sector- and organization-specific advice.”

"This means we test with as much information as possible, including access to source code, enabling us to test more efficiently and thoroughly."

Part of the Security Gap Analysis is the testing strategy required for DORA. Components within this testing strategy range from vulnerability scanning, pentesting, physical testing, code reviews, to a Red Teaming variant, the Threat Led Penetration Test. “We have been conducting these tests for over 10 years, always going the extra mile and digging deeper. For example, we conduct the highest percentage of whitebox pentests in the market. This means we test with as much information as possible, including access to source code, enabling us to test more efficiently and thoroughly. This allows us to identify the most challenging vulnerabilities and provide better advice to clients,” says Kees. “Furthermore, with our Inline service, we have transformed the classic pentest into an agile code review process. Our (mostly) senior specialists inspect the source code for vulnerabilities in each sprint, allowing organizations to focus on innovation without worrying about security.”

Threat Led Penetration Test

Red Teaming according to the ART or TIBER framework?

On April 10, 2024, DNB launched the ART framework. Advanced Red Teaming can be used to execute realistic scenarios at a high level. It is modular, allowing organizations to customize the elements included in the test. The ART framework is derived from the TIBER framework, which imposes stricter measures on the test. TIBER tests the entire organization on all elements and, for example, requires three scenarios in the test, while ART requires at least one scenario.

In the DORA regulation, it is stated that the Threat Led Penetration Test must be conducted according to the TIBER framework. With the launch of ART, there is a possibility that DORA may adopt this framework instead of the TIBER framework. ART is easier to execute and can save organizations a lot of money by taking less time. “Both frameworks test the entire organization based on a current scenario, but ART is more accessible. This allows smaller organizations to participate more easily and get used to a Red Teaming test. Due to the launch of ART and DORA, we expect to conduct more Red Teaming assignments. Securify is well represented in the financial sector, so we already perform these scenario-based tests regularly. But this will provide the additional boost needed to make the entire sector digitally resilient,” concludes Kees.

What does Securify do?

Securify, based in Amsterdam, is founded in 2013 by former security specialists of ABN AMRO, Rabobank and Delta Lloyd. In 2024 Securify consists of a team of 50 ethical hackers, secure coding experts and security researchers. Securify specializes in all kinds of preventive security engagements and helps organizations to identify, resolve and prevent technical security risks.

Many companies, ranging from startups to large banks, have put their trust in Securify for years already, to properly secure their systems and applications. With the hundreds of penetration tests, code reviews and red teaming exercises performed each year, Securify helps to better secure the data of millions of Dutch citizens.