As a measure to enhance the overall digital operational resilience of the EU financial sector, in late 2022, the Digital Operational Resilience Act (DORA) was published in the Official Journal of the European Union. As organisations prepare for DORA’s deadline in January 2025, SecurityScorecard, the cybersecurity firm has found that nearly one in five (18 per cent) organisations have a cybersecurity ‘C’ rating or below in its latest report.
In the wake of attacks such as MOVEit and SolarWinds, cybersecurity regulations are increasing the need for comprehensive approaches to manage vendor risk and ensure compliance. However, in its report, DORA and Cyber Risk: A New Framework for Third-Party Risk in the European Union, SecurityScorecard has revealed that many organisations’ cybersecurity standards are not up to scratch. In fact, 78 per cent have experienced a third-party data breach in the past year.
Furthermore, the report shows visibility across the entire third-and fourth-party ecosystem is mission-critical. A fourth-party breach has exposed over eight in 10 (84 per cent) firms. This shows that risks not only hide in plain sight, but also reveals institutions’ current inability to track and measure risk.
Just three per cent of the third-party vendors were breached. This underscores the massive butterfly effect that hackers are just starting to take advantage of. It spotlights a single supply chain attack’s dramatic impact on the threat landscape. Cybercriminals use these types of attacks to potentially gain access to all organisations that use that software. Therefore, it is imperative that software is not compromised.
A failing grade
Shockingly, 18 per cent of firms have a cybersecurity ‘C’ rating or below. According to SecurityScorecard, a ‘C’ rating means the organisation is four to seven times more likely to suffer a breach than those with an ‘A’ rating. Seven factors that drive cyber risk and can be predictive of a breach, include
- Endpoint security
- Patching cadence
- Ransomware score
- DNS health
- IP reputation
- Cubit score
- Network security
“If nearly 20 per cent of the most well-resourced financial entities in the EU have grades of C or worse, then it’s likely that the overall cyber resilience for other financial entities is actually much lower,” said Matthew McKenna, chief sales officer, SecurityScorecard. “Financial entities need a trusted view of security risk. SecurityScorecard dynamically discovers risk across a customer’s attack surface, including their third- and fourth-party ecosystem, to dramatically reduce the risk of a compromise.”
Cyber risk by financial verticals
The report reveals retail banks are at the highest risk of a cyber attack. In fact, 82 per cent experienced a third-party breach in the last year. Meanwhile, eight per cent suffered from a breach in their own domain.
However, insurance firms have the lowest security scores. Twenty-four per cent have a ‘C’ security rating or below, and 78 per cent reported a third- or fourth-party breach. However, at the other end of the spectrum, private equity firms are the groups most prioritising cybersecurity. None of the respondents had any breaches on their own domains and achieved the highest ratings with only nine per cent at a ‘C’ rating or below.
DORA implications for third-party risk management
Managing third-party risk is a core theme of DORA and the EU approach to digital cyber risk more broadly. DORA requires financial entities to identify and assess all third-party risks. This includes threats to the confidentiality, integrity, and availability of data and systems, as well as risks to the financial entity’s ability to continue operating in the event of a third-party incident.
“Who financial entities choose to trust and how they sustain that trust are essential factors for the resilience of the EU’s financial services sector,” said Dan Morgan, senior government affairs director, Europe & APAC, SecurityScorecard. “Financial institutions must adopt an objective, standard measurement for third-party cyber risk to inform regulatory decisions, reduce cyber incidents, and comply with regulations, such as DORA in the EU.”
