The financial sector is required to preserve a wealth of sensitive data about their clients and at the same time, is always looking for ways to take advantage of the benefits that public cloud services like Azure bring in terms of scalability and cost savings but where risks of data leaks and regulatory interference do not arise. There is a gradual move towards reliance on technology companies to offer financial services. There are risks that the financial services institutions may become victims of cyber-attacks or incidents, which would have harmful effects on the industry.
Poor management of ICT risks may result in an interruption in the cross-border financial activities of the countries, which will in turn adversely impact the entire financial system. Managing Information Technologies in Business has become almost inevitable in today's world. This is why it is important for the safety of all sectors of the economy to ensure the Digital Operational Resilience Act (DORA), that helps to mitigate incidents of this nature, be it from occurring or worsening.
More and more customers are turning to FinTech companies for their financial services, and the tech giants are much better at fighting fraud, cyber attacks and ransomware. To make this available to everyone in the sector, the European Union introduced DORA in 2023. It will come into effect in January 2025, in nearly four months.
DORA, in Europe, is somewhat more recent, which means a better position in helping finance firms to build proper data systems, assess their risks and prepare for cyber risks and is more than just a set of rules. It's a proactive framework built on five pillars:
- High priority to ICT security: In general, preventing, detecting and responding to new forms of cybercrime need enhanced skills, technology and expertise. It ensures continuous risk assessment and mitigation, and it serves as a proactive measure rather than always being reactive to incidents.
- Reporting Incidents: It is necessary to open up, to learn from what happened. Major ICT-related incidents should be reported so the industry knows and can try to stop similar things from happening again. It's about that, but more broadly — it's not merely about protection, but building collective immunity.
- Testing digital operational resilience: By taking an active approach to understanding not just environmental risks but also identifying risk factors, IT managers can prepare for the unexpected and ensure they are able to keep their core operations up and running effectively.
- Third-Party Risk Management: Financial firms rely a lot on external ICT providers. DORA makes sure that these partnerships are kept under close scrutiny, to make sure that they meet the same security standards. It's about making sure that the security measures cover more than just the systems inside the company.
- Information sharing: It's really important that we work together and share our knowledge. If we share threat intelligence and best practices, we can all work together to fight cyber threats and benefit the whole industry.
Right Side Data Processing = Data Risks
The trend is to reduce the total cost of ownership of systems, labor and operations by outsourcing unwanted technical debts. The typical approach is moving to cloud (right-side data processing) offerings. Cloud migration de facto becomes a strategic mandate for many companies that goes along with increased agility and potential ability to innovate. However, the provision of large quantities of PII and sensitive (financial) data to public clouds appropriately gives rise to fears. Not to talk from the increasing attached costs, unnecessary data movements, unavoidable data duplication and data privacy and regulations risks.
Why? Centralized data, like in a data lake or in data warehouses, needs a high level of cyber resilience, data security and access control levels. Not only that one cybersecurity incident can open the door for whole data dumps (see the recent SSN data breach) of centralized data pools, the potential for misusing central data is high. All current data solutions are unnecessarily complex and involve multiple layers and stages of data movement, often caused by years-long negligence for IT modernization, updates and not implementing risk assessment and mitigation practices.
For example, moving from database systems to cloud platforms needs a high integration level of ETL software, extracting data from on-premise systems and loading them into public clouds, like Databricks or Snowflake, to perform machine learning or AI tasks. From this point on the ownership of data processing moves from the original owner to the supplier. Depending on the contractual and legal requirements, this data can be used to train large AI models using the provided data. Additionally, since clouds are international connected ultra-scaled systems, the physical presence of data can’t be assured.
From our experience with insurance and finance customers, cloud based SaaS platforms use cloud providers to build and maintain the infrastructure for them, that means the IT manager responsible for digital transformation, GDPR and DORA does not know where the underlying servers are located, and how they store the data. The risks for outages are higher, and the time to get back online is not manageable by the data owner anymore. There are plenty of examples out there, the latest one concerning Azure, or Okta.
The European finance industry faces multiple challenges, and DORA is only one of them. They must further ensure that their cloud strategies are aligned with the current stringent regulations which protect customer data and maintain operational resilience. And they must be ready for much tighter regulations in the future, which limits the possibilities of current established data practices, like data centralization into data lakes.
DORA Compliant Data Processing with Scalytics
Scalytics has a great solution for companies to comply in an efficient and elegant way with GDPR and DORA, and many other data regulations across the world. Scalytics provides a federated data processing, machine learning, and AI framework. Its 'left-side' data processing model, where the calculations happen at the supported data source, is a technological game-changer for risk management.
Just picture an insurance company processing mountains of customer data for things like underwriting and claims. Currently, this data will be moved from the respective original systems, like SAP or Oracle databases in different hosting environments, and stored combined in one place, which makes it an easy target for cybercriminals. Scalytics has a different approach. By doing the calculations at the source, you can keep sensitive data safe, which helps to reduce the risks of moving and storing it.
Our approach fits perfectly with DORA's principles
Enhanced data security: Scalytics makes it harder for hackers to access your data because it is not being moved around or stored somewhere outside your control.
Better data privacy: This means that the insurer can still control customer data from operational systems, without additional movements and copies of this data, which helps them to comply with GDPR and build trust.
We've made it easier to manage third-party risks. With less data sharing with external providers, it's easier to keep an eye on things and manage third-party risks. Scalytics doesn't just help financial companies to comply with the rules, it also gives them the tools to make the most out of their data without worrying about security or privacy in future. It's a great example of how new technology can help you implement strict data protection rules and grow your business.
TL;DR
The EU's Digital Operational Resilience Act (DORA) is set to revolutionize data security in the financial industry. IT leaders and enterprise architects must prepare for stricter regulations that limit traditional data practices like centralization. DORA demands enhanced ICT security, incident reporting, resilience testing, third-party risk management,and information sharing.
Scalytics offers a groundbreaking solution with its federated data processing model. By performing calculations at the data source, Scalytics enhances data security and privacy, aligning seamlessly with DORA's principles.
Key takeaways for IT leaders & enterprise architects:
- DORA compliance is not just about adhering to rules, but about building a resilient digital foundation.
- Scalytics' 'left-side' data processing minimizes data movement and storage risks, ensuring compliance and fostering trust.
- Embrace new technologies like Scalytics to not only comply with regulations but also to thrive in a complex digital landscape.
DORA presents an opportunity for growth. With Scalytics, financial institutions can lead the digital transformation with confidence, ensuring the protection of their operations, customers, and future.
About Scalytics
Experience seamless integration across diverse data sources, enabling true AI scalability and removing the roadblocks that obstruct your machine learning data compliance and data privacy solutions for AI. Break free from the limitations of the past and accelerate innovation with Scalytics Connect, paving the way for a distributed computing framework that empowers your data-driven strategies.
Apache Wayang: The Leading Java-Based Federated Learning Framework
Scalytics is powered by Apache Wayang, and we're proud to support the project. You can check out their public GitHub repo right here. If you're enjoying our software, show your love and support - a star ⭐ would mean a lot!
If you need professional support from our team of industry leading experts, you can always reach out to us via Slack or Email.