Compliance with the EU's new Digital Operational Resilience Act (DORA) and the UK's Prudential Regulation Authority (PRA) has cost many businesses more than €1m ($1.02m) over the last 24 months, according to findings by Rubrik Zero Labs.
Financial services and banking firms have until January 17, 2025, to comply with the new EU DORA legislation. The Act will introduce an enforced universal framework with a focus on ICT risk management.
Of 350 CISOs surveyed for Rubrik Zero Labs’s research, 47% of those in the UK and 38% in the EU said their organization spent over €1m on compliance.
In the UK 28% and EU 30% reported spending €501,000-€1m ($515,000-$1.02m).
James Hughes, VP of Solutions Engineering and Enterprise CTO at Rubrik, explained during a press briefing that the €1m figure was to be expected for this kind of project. For large financial organizations the costs could reach the tens of millions.
Hughes assessed that most organizations would have special dispensation for this type of financial commitment, and it would not necessarily be taken straight out of an already existing budget.
“Especially on the human side, if you need to bring in specialists to be able to implement these rules, get reports in the right shape as well as the right technology and then rehearse and prove that technology works, that’s where a lot of the costs come in,” he noted.
Rubrik’s research also found that most CISOs said their IT budget reflects their boardʼs business objectives in meeting DORA/PRA regulations.
The firm also highlighted the human toll that compliance with the regulation has had among CISOs, with 79% reporting that it has had an impact on impacted their mental health.
Most CISOs (60%) say that DORA/PRA has added pressure to their role, while 23% of CISOs have considered moving to a less regulated industry.
CISOs Cite Ransomware as Top Risk
Rubrik’s survey also found that 20% of CISOs cited third-party compromise and 19% cited software supply chains as posing significant threats to organizations.
DORA legislation addresses third-party risks by requiring financial entities to conduct thorough due diligence and continuous monitoring of their ICT service providers.
Ransomware continues to be a top concern for CISOs in the financial sector, with 46% of UK CISOs and 33% of those in the EU citied it as the biggest threat to their organization.
This figure rises to 57% of companies with more than 2500 employees who are more likely to perceive ransomware as a top threat.
Hughes emphasized the need for preparedness when it comes to ransomware incidents, highlighting the human cost of ransomware incidents.
“If you're not prepared for it and you've got your whole business down you don't know what to do…things go, dark pretty quickly, because it just descends into panic,” he said.
In terms of ongoing compliance with regulations such as DORA, Hughes said the mindset has to be about resiliency because despite all the tools, such as firewalls, that have been used for prevention, cyber-attacks will still happen.
“You have to have the mindset of resiliency rather than just blocking everything,” he said. “You have to rehearse it continuously and it has to be part of the culture and the way we operate and control risk.”
Rubrik’s research was conducted by Wakefield Research, who surveyed 350 CISOs working at companies with a minimum of 500 employees in the finance and banking sectors, excluding holding companies.