Ahead of the deadline with the DORA compliance tomorrow, 47 percent of UK financial and banking organisations have spent more than €1 million to be compliance with regulations.

According to research from Rubrik, ransomware is the greatest threat to 46 percent of financial organisations, while 20 percent cited third-party compromise, and 19 percent cited software supply chains as posing significant threats to security.

Preparation

Speaking at a launch event in London, James Hughes, VP of solutions engineering and enterprise CTO at Rubrik, said there “is a lot of things you need to do for DORA, especially if you're not prepared for it.”

“One of the things with DORA is it's been a bit of a mindshift, because you've always had technologies that have broadly been there the whole time,” he said. “DORA talks about cyber resiliency, but when you run a big IT shop, things break all the time, so you get really good at fixing things and that becomes a muscle memory in IT.”

Looking at the million euro spend, Hughes said that he expects it to be spent on “people and the processes that you need to change, and the technologies.” In a large organisation though, he said it would likely cost “tens of millions”, but it really depends on the size of the organisation - especially if you have to change technology.

Specifically DORA

Speaking on DORA specifically, Hughes said that “a lot of it is common sense” and a “lot of it is what you probably should be doing anyway, but I think any good regulation needs to include the way the industry is moving.”

However Hughes believed there were few gaps in DORA, and is enabled innovation as well encouraging security and best practises. “I think if you have a regulator that says ‘you can't do X Y and Z because it'll stifle innovation’, that's probably a bad thing. If you have a regulator that sets the framework of what good practice looks like, and you can work within that framework -  which is what DORA has done - I actually think that's a really, really good thing.” 

The research from Rubrik also found a major disconnect with the rest of the C-suite when it comes to prioritising cyber resilience, as over three-quarters (77 percent) of UK CISOs feel that their IT budget is not completely reflected by their board’s objectives to meet regulatory requirements.

“There is a critical gap between board-level understanding and reality,” said Hughes. “While regulators are increasingly stringent, many CISOs feel their budgets don't adequately reflect the board's commitment to compliance. This disconnect jeopardises not only organisations' security posture but also their ability to meet evolving regulatory demands.”

Dan Raywood Senior Editor SC Media UK

Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.

Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.