The cyber resilience of financial institutions: Just sandcastles built on quicksand?

20 January 2025
Knowledge Base

by Andy Norton

The EU’s Digital Operational Resilience Act (DORA) has been on the regulatory horizon for some time. Yet its implications for the financial sector remain a pressing concern. As DORA has now come into effect as of 17 January, many financial institutions, burdened by legacy systems and a patchwork of software applications1, find themselves ill-prepared to meet DORA’s stringent requirements. Yet, some UK companies, especially smaller third-party ICT suppliers2, might think they’re exempt from DORA’s requirements in the wake of its EU exit. That’s not exactly the case. In fact, it’s unsurprising that 39% of organisationsadmit to feeling challenged by the UK’s increasingly complicated regulations and governance requirements; DORA is just another on a long list of regulations that firms must adhere to.

It’s now imperative for financial institutions and critical third parties to assess their cybersecurity posture in what little time is left. And as cyber threats continue to evolve, organisations must prioritise a top-down approach to remain compliant.

Therefore, the industry’s biggest concern isn’t wilful non-compliance, but the durability of their defences. Are their cyber fortresses built on bedrock or quicksand?

The sands of time are running out

The rise in cyberattacks targeting financial institutions, particularly those originating from third-party vendors and service providers, continues to be a crucial issue for the financial sector. This year alone the likes of Banco Santander, a Spanish multinational bankand the cryptocurrency exchange platform Geminihave all fallen victim to third-party breaches, showing how organisations are still reactive with their security posture.

From DORA, the Payment Services Directive 3 (PSD3) and the UK’s recent Cyber Security and Resilience Bill, more and more regulations are being imposed across the board and this approach of ‘reactive firefighting’ will no longer suffice. For many, the increased costs to meet compliance have become a burden, especially as firms need to manage both local and EU frameworks across borders. Moreover, 35% of UK IT leaderswithin the financial services sector acknowledge that their firms lack sufficient budget allocations for cybersecurity programs, people and processes, all elements that would support compliance. A further 26% report a lack of commitment from their boards to foster a robust cybersecurity culture. As part of DORA’s mandate, senior leaders are held accountable for ensuring their organisation is compliant and cyber-resilient.

As a result, many firms are either unaware or woefully unprepared and risk severe penalties for non-compliance, including significant financial repercussions that would impact a firm’s bottom line. For example, the Intercontinental Exchange, which owns the New York Stock Exchange, was recently fined $10mfor failing to report a cyberattack on its operations, showing the consequences awaiting those who fall short of regulatory expectations.

Adding to this complexity are the difficulties in managing and integrating an array of cybersecurity tools, further highlighted by the challenges of dependency mapping. Financial institutions often struggle to align their defences, leaving critical vulnerabilities exposed. Most enterprises will have over 130 security tools8, yet many of those will be siloed, unable to interact with each other and unable to provide a comprehensive view of the firm’s entire security ecosystem. This lack of visibility can make it difficult to identify and address dependencies, potentially leading to unforeseen risks and security breaches.

When you throw AI into the mix, which is now supercharging cyberwarfare to the point where 53% of global IT decision makers are concerned about its impact, firms find their digital sandcastles at risk of collapsing. So, what can be done?

From sandcastles to strongholds

Financial institutions must first and foremost return to the basics – ensuring strong cybersecurity fundamentals. In contrast to previous legislation that mainly imposed penalties following a breach, these new directives focus on proactive measures.

That means firms should shore up on the likes of multi-factor authentication (MFA), firewalls, network visibility and regular software updates to help form the foundation of a strong security posture. These measures, coupled with regular risk assessments, provide a baseline defence against ever-increasing threats. In fact, these fundamentals are something that should not be seen merely as a tick box exercise for compliance, but something to ensure essential protection.

Automation is also another crucial element, allowing institutions to efficiently manage the sheer scale and volume of modern threats. Without automation, the manual oversight of tens of thousands of physical and virtual assetsconnected to any organisation’s networks on an average day becomes impossible. Understanding and managing every device on the network is no longer optional; it’s fundamental. No matter how new or ‘state-of-the-art’ your various security tools are, if an organisation cannot see, identify and secure all its assets, the security posture remains weak.

Equally important is adopting a unified approach to security management, such as integrating security platforms into one coherent view. Bringing all security tools and processes under a unified management system creates better visibility, faster response times and more streamlined operations.

Once these fundamentals are sorted, advanced solutions like AI-powered threat intelligence become the next step for those seeking to stay ahead. By using AI, institutions can transition more effectively from reactive cybersecurity measures to a proactive defence strategy, identifying and neutralising threats before they occur – turning the hunter into the hunted. AI-driven tools continuously scan for potential entry points and monitor both surface and dark web activities, enabling real-time threat detection and situational awareness.

Incorporating machine learning and advanced techniques like Natural Language Processing (NLP), AI systems can prioritise remediation efforts and streamline threat hunting by predicting which vulnerabilities are most likely to be exploited. Ultimately, compliance is only the starting point. In an era where cyberattacks and cyberwarfare continue to escalate, financial institutions need to invest in solutions that enable them to stay one step ahead.

Building on solid ground

DORA presents a pivotal moment for the industry as it brings technology, businesses and external partners under the direct scrutiny of financial regulators for the first time.

Yet, it’s not just about ‘meeting’ compliance. It’s about securing the organisation from the rising tide of threats. Without a solid foundation, financial institutions will only continue to be targeted and fall victim. That’s why it’s crucial for firms to first ensure the cybersecurity fundamentals as, without it, any advanced measures will eventually collapse under pressure.

Once these essentials are firmly in place, institutions can move beyond reactive firefighting and embrace proactive defence strategies, powered by AI-driven threat intelligence. But first, firms must take action to solidify this groundwork so that their defences can withstand the new age of cybersecurity.

The author, Andy Norton, is a European Cyber Risk Officer at Armis.

(*1) https://www.lseg.com/en/insights/data-analytics/how-much-problem-is-legacy-tech-for-financial-services

(*2) https://www.nccgroup.com/uk/dora-regulation-in-the-uk-what-financial-entities-and-ict-suppliers-need-to-know/

(*3) https://www.armis.com/newsroom/press/armis-research-finds-uk-organisations-challenged-by-enhanced-regulations-and-a-lack-of-policy-enforcement-causing-risk-exposure/

(*4) https://www.cpomagazine.com/cyber-security/banco-santanders-third-party-data-breach-exposes-customer-and-employee-info-across-countries/

(*5) https://www.infosecurity-magazine.com/news/us-crypto-exchange-gemini-breach/

(*6) https://www.armis.com/cyberwarfare/

(*7) https://www.cfodive.com/news/sec-fines-nyses-owner-10m-failing-report-cyberattack/716920/

(*8) https://www.anomali.com/blog/more-is-less-the-challenge-of-utilizing-multiple-security-tools

(*9) https://www.armis.com/attack-surface-management/



Leave a Reply

Your email address will not be published. Required fields are marked *