Search the Community

As the cybersecurity threat landscape continues to evolve globally, organizations operating in the financial sector are seeing regulations shift to address the associated risks, and none may prove more impactful than the European Union’s (EU) Digital Operational Resilience Act (DORA). This regulation aims to strengthen the operational resilience of financial entities (FEs), and their third-party information and communication technology (ICT) providers. Here, we’ll cover what DORA is, why it matters and how Snowflake can help support your DORA compliance obligations. The second batch of DORA policy products, which aims to strengthen oversight and risk management for third-party ICT providers, is currently under development. Snowflake will provide more information once the second batch of policy requirements is established in July 2024. DORA: Building a More Secure Financial System DORA, enacted in January 2023, moves beyond reactive measures, requiring FEs and their service providers to proactively identify vulnerabilities, prevent disruptions and plan for swift recovery from incidents. DORA mandates a five-step lifecycle approach: Identify: pinpoint critical functions vulnerable to disruptions. Assess: evaluate the potential risks associated with those functions. Prevent: implement robust measures to safeguard these functions. Respond: develop clear plans for effectively handling incidents and minimizing their impact. Recover: establish processes for rapid recovery after incidents to ensure business continuity. This translates to several key requirements and their associated benefits: More stringent technical and process-oriented security measures, enhancing protection for both FEs and their ICT third-party providers. Identification of potential threats through data analysis and risk assessment processes to shift toward more proactive risk management. Collaboration between European Supervisory Authorities (ESA) and national competent authorities to promote consistent enforcement of cybersecurity rules and a more resilient financial ecosystem. Five Core Pillars of DORA 1. ICT Risk Management Framework and Governance FEs’ leadership teams must define a risk management strategy, inclusive of both their internally managed critical systems and the risks associated with their ICT providers. This strategy must incorporate business impact analyses as well as backup and recovery plans in the event of a security incident or loss of access to data. 2. ICT Incident Reporting FEs must establish and implement a management process for monitoring, managing, logging, classifying and reporting ICT-related incidents. Depending on the severity of the incident, DORA specifies the incident notification timelines, forms and reporting requirements to both Competent Authorities (CA) and affected clients and partners. 3. Digital Operational Resilience Testing FEs must test their ICT risk management framework periodically to evaluate the strength of the procedures and processes against any vulnerabilities. The results of these tests and any improvement plans against identified vulnerabilities must be reported to the CA, if requested. 4. Managing Third-Party Risk FEs shall manage ICT third-party risk as an integral component of ICT risk within their ICT risk management framework. FEs must negotiate appropriate contractual arrangements when outsourcing functions to their ICT third-party service providers. ESA will designate critical ICT providers in January 2025. All designated critical ICT third-party service providers will be subject to direct oversight by ESA. 5. Information Sharing Arrangements FEs are encouraged to exchange cyberthreat and intelligence information among themselves, and to collectively leverage their individual knowledge and practical experience at strategic, tactical and operational levels. This will assist in enhancing their capabilities to adequately assess, monitor, defend against and respond to cyberthreats by participating in information-sharing arrangements. How can Snowflake Help? The Snowflake Data Cloud can be a valuable tool for FEs to achieve compliance with DORA and strengthen their overall operational resilience through robust security and advanced data management capabilities. When leveraged appropriately, Snowflake can and will empower FEs’ abilities to safeguard their sensitive financial data in compliance with their legal obligations. Data Encryption: Snowflake encrypts data at rest using AES 256-bit (or better) encryption and leverages Transport Layer Security (TLS) 1.2 (or better) for data in transit. Snowflake’s Bring Your Own Key (BYOK) model (known as Tri-Secret Secure) empowers customers to maintain complete control over their encryption keys, adding an extra layer of security. Access Control: Snowflake allows customers to define granular permissions for user roles, minimizing the risk of unauthorized access to sensitive data. Additionally, data can be classified and tagged based on its level of sensitivity, confidentiality or importance to the organization. This prioritizes security measures and simplifies data discovery. Data Governance: Snowflake also offers a comprehensive list of data governance features. These include, but are not limited to, data masking, support for external tokenization and historical logging of user access history. These features further enhance the protection of customers’ sensitive data. Data Resiliency: Snowflake understands the importance of data resiliency. Built-in fault tolerance and data replication supports continuous access to your data, even during hardware failures. Data is automatically replicated across different availability zones within the same region. If there’s an issue, the system automatically fails over to another zone, minimizing downtime. Snowflake also offers advanced account replication and failover features (available in Business Critical and Enterprise editions). These features allow customers to replicate their entire Snowflake account, including databases and metadata, to a separate account in a different region, providing a complete disaster recovery solution. Replication is configurable, allowing customers to recover their data to a specific point in time, if necessary. By combining industry-leading security features with robust disaster recovery options, Snowflake provides a comprehensive solution for safeguarding your sensitive financial data. Third-Party Monitoring: Snowflake has an established vendor risk assessment program, which evaluates the operational resilience of its sub-processors annually and on an ad hoc basis. Snowflake customers may subscribe at the above link to receive advance notifications of new sub-processors. Proactive Security: Snowflake conducts frequent vulnerability scans and engages third-party security firms to conduct penetration testing of its platform. Snowflake also integrates with popular Security Incident and Event Management (SIEM) systems, allowing Snowflake customers to centralize security monitoring and receive alerts of suspicious activity. In the event of a security incident, Snowflake will provide its customers with timely information about the nature and consequences of the incident, the measures being taken to mitigate it, and the status of their investigation as described in Snowflake’s Security Addendum. * * * By leveraging Snowflake’s capabilities, FEs gain a strong partner in navigating DORA’s requirements, empowering them to build a more secure and trusted financial landscape. To learn more about our commitments, please contact Snowflake or reach out directly to your Snowflake Account Team for early access to guidance material. This blog post is provided for informational purposes only, with the understanding that it shall not create any legally binding representations or other obligations on Snowflake or constitute legal advice. Snowflake serves a variety of Customers with organization-specific deployment models and regulatory compliance demands, and you are responsible for making your own independent assessment of the information contained herein and ensuring your own compliance with all applicable laws and regulations. You should consult with your legal advisors for any requirements associated with the compliance posture of your organization. Snowflake may update the information provided in this document from time to time without notice. The post How the EU’s Digital Operations Resilience Act (DORA) Aims To Strengthen Operational Resilience in Financial Services appeared first on Snowflake. View the full article

Software teams use DORA metrics in an organization to help improve their efficiency and enhance the effectiveness of company deliverables. View the full article

DORA metrics enable developers to understand their process’ weak points and identify areas for improvement internally. View the full article

The 2023 Accelerate State of DevOps Report from the DORA team at Google Cloud found teams with generative cultures performed better. View the full article

As we close out 2022, we at DevOps.com wanted to highlight the most popular articles of the year. Following is the latest in our series of the Best of 2022. A technology company’s most valuable assets are its people and data, especially data about the organization itself. By knowing what data to track over time, […] The post Best of 2022: How DORA Metrics Can Measure and Improve Performance appeared first on DevOps.com. View the full article

BMC this week announced it has added support for DevOps Research and Assessment (DORA) metrics within its portfolio of DevOps tools for mainframe environments. John McKenny, senior vice president and general manager for intelligent Z optimization and transformation at BMC, said the latest edition of BMC Compuware zAdviser now includes a DORA KPI Dashboard that […] The post BMC Adds Support for DORA Metrics to Mainframe Tools Portfolio appeared first on DevOps.com. View the full article

European legislators came to an inter-institutional agreement on the Digital Operational Resilience Act (DORA) in May 2022. This is a major milestone in the adoption of new rules designed to ensure financial entities can withstand, respond to and recover from all types of ICT-related disruptions and threats, including increasingly sophisticated cyberattacks. DORA will harmonize how financial entities must report cybersecurity incidents, test their digital operational resilience, and manage ICT third-party risk across the financial services sector and European Union (EU) member states. In addition to establishing clear expectations for the role of ICT providers, DORA will also allow financial regulators to directly oversee critical ICT providers. Google Cloud welcomes the agreement on DORA. As part of our Cloud On Europe’s Terms initiative, we are committed to building trust with European governments and enterprises with a cloud that meets their regulatory, digital sovereignty, sustainability, and economic objectives. We recognize the continuous effort by the European Commission, European Council, and European Parliament to design a proportionate, effective, and future-proof regulation. We have been engaging with the policymakers on the DORA proposal since it was tabled in September 2020, and appreciate the constructive dialogue that the legislators have held with ICT organizations. Google Cloud’s perspective on DORA We firmly believe that DORA will be crucial to the acceleration of digital innovation in the European financial services sector. It creates a solid framework to enhance understanding, transparency, and trust among ICT providers, financial entities, and financial regulators. Here are a few key benefits of DORA: Coordinated ICT incident reporting: DORA consolidates financial sector incident reporting requirements under a single streamlined framework. This means financial entities operating in multiple sectors or EU member states should no longer need to navigate parallel, overlapping reporting regimes during what is necessarily a time-sensitive situation. DORA also aims to address parallel incident reporting regimes like NIS2. Together these changes help get regulators the information they need while also allowing financial entities to focus on other critical aspects of incident response. New framework for digital operational resilience testing: Drawing on existing EU initiatives like TIBER-EU, DORA establishes a new EU-wide approach to testing digital operational resilience, including threat-led penetration testing. By clarifying testing methodology and introducing mutual recognition of testing results, DORA will help financial entities continue to build and scale their testing capabilities in a way that works throughout the EU. Importantly, DORA addresses the role of the ICT provider in testing and permits pooled testing to manage the impact of testing on multi-tenant services like public clouds. CoordinatedICT third party risk management: DORA builds on the strong foundation established by the European Supervisory Authorities’ respective outsourcing guidelines by further coordinating ICT third-party risk management requirements across sectors, including the requirements for contracts with ICT providers. By helping to ensure that similar risks are addressed consistently across sectors and EU member states, DORA will enable financial entities to consolidate and enhance their ICT third-party risk management programs. Direct oversight of critical ICT providers: DORA will allow financial regulators to directly oversee critical ICT providers. This mechanism will create a direct communication channel between regulators and designated ICT providers via annual engagements, including oversight plans, inspections, and recommendations. We’re confident that this structured dialogue will help to improve risk management and resilience across the sector. How Google Cloud is preparing for DORA Although political agreement on the main elements of DORA have been reached, legislators are still finalizing the full details. We expect the final text to be published later this year and that there will be a two-year implementation period after publication. While DORA isn’t expected to take effect until 2024 at the earliest, here’s four important topics that DORA will impact and what Google Cloud does to support our customers in these areas today. Incident reporting: Google Cloud runs an industry-leading information security operation that combines stringent processes, a world-class team, and multi-layered information security and privacy infrastructure. Our data incident response whitepaper outlines Google Cloud’s approach to managing and responding to data incidents. We also provide sophisticated tools and solutions that customers can use to independently monitor the security of their data, such as the Security Command Center. We continuously review our approach to incident management based on evolving laws and industry best practices, and will be closely following the developments in this area under DORA. Digital operational resilience testing: We recognize that operational resilience is a key focus for the financial sector. Our research paper on strengthening operational resilience in financial services by migrating to Google Cloud discusses the role that a well-executed migration to Google Cloud can play in strengthening resilience. We also recognize that resilience must be tested. Google Cloud conducts our own rigorous testing, including penetration testing and disaster recovery testing. We also empower our customers to perform their ownpenetration testing and disaster recovery testing for their data and applications. Third-party risk: Google Cloud’s contracts for financial entities in the EU address the contractual requirements in the EBA outsourcing guidelines, the EIOPA cloud outsourcing guidelines, the ESMA cloud outsourcing guidelines, and other member state requirements. We are paying close attention to how these requirements will evolve under DORA. Oversight: Google Cloud is committed to enabling regulators to effectively supervise a financial entity’s use of our services. We grant information, audit and access rights to financial entities, their regulators and their appointees, and support our customers when they or their regulators choose to exercise those rights. We would approach a relationship with a lead overseer with the same commitment to ongoing transparency, collaboration, and assurance. We share the same objectives as legislators and regulators seeking to strengthen the digital operational resilience of the financial sector in Europe, and we intend to continue to build on our strong foundation in this area as we prepare for DORA. Our goal is to make Google Cloud the best possible service for sustainable, digital transformation for European organizations on their terms—and there is much more to come. Related Article Helping build the digital future. On Europe’s terms. Cloud computing is globally recognized as the single most effective, agile and scalable path to digitally transform and drive value creat... Read Article