Welcome to Part 1 of our two-part series on navigating DORA compliance and strengthening digital resilience. With the enforcement deadline for the Digital Operational Resilience Act (DORA) fast approaching, financial institutions are racing to ensure their ICT systems meet the stringent requirements of this new regulation. To gain deeper insight into how firms are approaching DORA compliance, we sat down with Mick Grayson, Manager of GRC at Abacus Group. Mick shares his experience in helping clients implement DORA-compliant systems and enhance their digital resilience.
Q: Mick, can you tell us a bit about your role in helping clients with DORA compliance?
Certainly! My role involves working closely with clients to ensure that they not only meet DORA’s compliance requirements but also build resilient systems that can withstand future cyber threats. We focus on everything from policy updates and risk management to third-party due diligence and incident response. My team and I help clients enhance their existing processes and introduce new strategies to improve security, recover quickly from disruptions, and ensure compliance with the regulation.
Q: What were some of the key steps you took to help a client become DORA compliant?
One of the first things we did was review and update their written information security policies and incident response plans to align them with DORA’s requirements. This involved making sure their documents were not just compliant but practical. For example, we included an appendix in the updated policies that linked specific DORA requirements directly to the relevant sections in their policies, making the compliance process clearer for everyone involved. The incident response plan also had to incorporate DORA’s reporting requirements, so we added templates for reporting incidents to the relevant authority, ensuring the client could respond quickly if something happened.
Q: It sounds like a lot of work goes into reviewing and updating policies. What other steps were involved?
Yes, updating policies is just the beginning. We also focused heavily on enhancing the client’s Information Security Management System (ISMS). This is a crucial part of DORA compliance. We created an information asset register, which identified critical services and established recovery time and point objectives (RTO and RPO). This helps our clients understand the most important assets in their infrastructure and how quickly they need to recover them in case of a disruption.
We also set up an ICT risk register, which was crucial for managing and tracking potential risks. We used the CIA method—focusing on confidentiality, integrity, and availability—to assess risks and define the right controls. This allowed us to provide an initial and residual risk rating for each identified risk, which gave the client a clearer picture of where they stood in terms of security.
Q: Vendor risk management is another key aspect of DORA. How did you approach that?
That’s correct. Given how interconnected financial institutions are with third parties, DORA’s emphasis on third-party risk management is essential. A key differentiator with DORA is that it includes a focus on the availability of third-party systems, rather than focusing solely on the confidentiality and integrity of those systems. As a result, we worked with the client to establish a robust vendor due diligence process, ensuring they could identify and assess risks from third-party vendors. This was crucial to ensure that critical third parties were able to meet the recovery time objective (RTO) and recovery point objective (RPO) of the firm.
Q: How did you enhance the client’s vulnerability management and testing procedures?
To further strengthen their security posture, we introduced Vulnerability Management as a Service (VMaaS). This enhanced their existing vulnerability management process and provided them with proactive tools to identify and address potential security weaknesses before they could be exploited. It was a valuable tool in addressing emerging vulnerabilities, which is particularly important with the evolving threat landscape.
Additionally, we enhanced their Business Continuity Planning (BCP) readiness by running a Cyber Tabletop exercise. This exercise helped simulate real-world cyberattacks and tested the client’s ability to respond and recover quickly. It gave them the opportunity to practice incident response in a controlled environment, which is vital for ensuring they are ready for any cyber threat.
Q: What would you say is the most important takeaway for firms looking to become DORA-compliant?
The key takeaway is that DORA isn’t just about meeting a set of requirements—it’s about creating a culture of resilience. The regulation is designed to help firms build systems that can withstand disruptions and cyber threats, but it’s also an opportunity to enhance your overall security posture. My advice to firms is to treat DORA as a chance to look at your current processes and policies critically, identify gaps, and make improvements that will help you future-proof your organization. DORA compliance isn’t a one-time task; it’s an ongoing journey of continuous improvement.
Q: How has the experience of working with these clients shaped your approach to cybersecurity and resilience?
Working with clients on DORA compliance has reinforced the importance of a proactive and holistic approach to cybersecurity and risk management. It’s not enough to simply have reactive measures in place; firms need to be looking ahead, anticipating risks, and building resilient systems that can adapt to changing threats. I’ve seen firsthand how this approach has made a real difference in the ability of our clients to respond to incidents and recover swiftly. It’s about embedding resilience at every level of the organization, from policies to processes, to ensure long-term sustainability and security.
Conclusion
The implementation of DORA is fast approaching, but as Mick highlights, compliance is just the starting point. Building resilience, strengthening risk management frameworks, and preparing for emerging threats is how financial institutions can truly thrive in a rapidly evolving digital world. At Abacus Group, we’re proud to help clients navigate the complexities of DORA and ensure they’re not just ready for the regulation—but are equipped to lead in digital resilience. In Part 2, we will delve deeper into advanced strategies for maintaining resilience in the face of evolving cyber threats.
These Stories on Blog
.png)
Founded in 2008, Abacus Group is an innovative, award-winning IT and Cybersecurity managed service provider offering an enterprise integrated platform specifically designed for the unique needs of the financial services industry.
