UK business leaders need to understand how they are affected by new cybersecurity legislation for the EU financial services sector, says Bruce McDougall CA, CFO and Founding Director at Black Arrow Cyber Consulting

I have been following the development of the EU’s new cybersecurity legislation, the Digital Operational Resilience Act (Dora), for some time. Although Dora applies to EU financial services firms from January 2025, its effects will be felt by firms in the UK (and elsewhere) with financial services clients in the EU.

The bottom line is that the legislation could have a commercial impact on UK firms if their EU clients decide to stop working with firms that can’t show strong cyber risk management.

Right now, EU financial services firms are elbow-deep in their cyber risk assessments for information computer technology (ICT), as required by Dora. The EU firms need to “have a sound, ICT risk management framework as part of their overall risk management system” and to manage those risks through cybersecurity controls. The crucial part is that the EU firm must include “the risk exposure to and from other financial entities” and for “critical or important functions”, and show its risk analysis to the local regulator on request.

Here is the commercial risk – and I see this with fund managers and administrators, for example, in the UK and offshore, who understand they are affected. They are preparing for when their EU clients say: “You feature on our risk register, because you provide an important function to our business. We need to review your cyber risk assessment and security controls, so we can provide details to our regulator.”

“This is a positive opportunity for financial services firms in the UK and elsewhere to make themselves attractive to EU clients by showing strong cyber risk management”

This could be a make-or-break discussion: if you present an analysis and cyber controls that do not match the quality expectations of the EU firm, it may decide to end your business relationship rather than face regulatory problems.

ICAS members in senior roles, such as finance director, often have responsibility for cybersecurity alongside IT, and may not realise that clients could contact them to evaluate their cyber risk management. From my experience supporting financial services clients in the UK and offshore to prepare for client conversations on Dora, there are three important points to remember when responding to requests for a review.

1. The EU firm has been deep-diving in Dora for some time, and its knowledge and expectations may be greater than yours, so it is important to be well prepared with specialist cybersecurity input.

2. The EU firm must consider “risks arising from data management, including poor administration, processing-related risks and human error”, so don’t think of this only in terms of technology. Cybersecurity requires aligned controls across people, operations and technology.

3. A large part of Dora is about managing the risk of technology providers, so it could be an automatic “fail” if your risk analysis has been driven solely by your IT team or provider. You need to show clearly that your leadership team understands cybersecurity and has prepared the risk analysis and strategy with the same governance and understanding as for financial or operational risk.

CAs should not be alarmed by this. It is a positive opportunity for financial services firms in the UK and elsewhere to make themselves attractive to EU clients by showing strong cyber risk management. The UK government has expressed its intention to follow suit with its own version of Dora. This is to be expected, as the future of the sector in the EU, UK and elsewhere depends on it – resilience against a cyber incident is every bit as crucial as against a financial shock.

blackarrowcyber.com

For more resources visit the cybersecurity hub