The European Union (EU) put forward a legislative proposal on “Digital Operational Resilience” (DORA).
The proposal, among other things, covers several aspects of cybersecurity, redundancy, and operations frameworks for institutions with enterprise infrastructure.
What might make or break the rules depends on how far DORA can help in preserving the soft information underbelly for businesses.
If DORA makes it through the process, we might see DORA becoming a standard, very much like the GDPR rules.
We reached out to Monica, Oravcova, Co-Founder & Chief Operating Officer, Naoris Protocol for insights into DORA and its implications.
Here’s what she had to say.
Monica, Oravcova, COO and Co-Founder at Naoris Protocol
E-Crypto News:
- How has the EU’s Digital Operational Resilience (DORA) legislative proposal affected the financial services sector?
Under DORA there are 21 types of financial institutions in scope, including very large enterprises like banks, insurance companies, pension schemes all the way to small digital e-money providers, token issuers and various crypto assets.
DORA unifies the basic requirements from an operational and security level, on how to handle cyber security threats and mitigate security risks arising from the digitalisation and increasing digital infrastructure including IOT, BYOD principles and cloud etc.
In addition, DORA has a long reach, requiring all critical third-country ICT service providers to those financial entities in the EU to be required to establish a subsidiary within the EU so that oversight can be properly implemented under DORA along with the Network and Information Security (NIS) directive.
E-Crypto News:
- On a more specific note, how has it affected Web3 organizations in the industry?
It has focused the sector on their responsibilities in terms of ensuring proper checks and balances are in place to ensure operational resilience if they come under attack from a hacker. The industry has been plagued with breaches, and we have seen massive escalations in all kinds of attacks ranging from malware, phishing, smishing and ransomware.
Organisations have not yet taken appropriate steps to secure their data. While Gartner predicts organisations will spend nearly $6.69 billion on cloud security in 2023, rising almost 27% year-over-year, Web3 is still not tackling its part of the potential $10T cyber-damage problem that we could face by 2025.
The elephant in the room is the proliferation of remote devices, IoT, remote working and cloud servers all acting as single points of failure within a security system. DORA will now hold companies accountable for these breaches so there will be a big scramble to mitigate these threats.
Proposed regulation addressing cyber threats has been in place for over a decade, and since then, threats have escalated exponentially. It’s now clear that cyberthreats are just as much of a risk to Web 3 as Web 2 enterprises, dispelling the myth that Web3 is unhackable.
What is not understood is that while the blockchain is unhackable, we have no way of knowing if the information being uploaded is uncorrupted, audited and accurate.
DORA will go a long way to setting standards in the industry and to ensure that when Web3 and Web 2 partners interact, that both subscribe to practices that protect their clients, they will no longer be able to blame 3rd parties for breaches.
Related: What You Need to Know About the Blockchain
E-Crypto News:
- Please, can you tell us about the salient aspects of the proposal?
DORA concentrates the following aspects of compliance:
-
ICT incident reporting and management, requiring financial firms to implement management systems to monitor, describe, and report any major ICT-based incidents to relevant authorities.
-
DORA will encourage financial firms to share cybersecurity information and intelligence, with firms in other member states to assist with strengthening response and recovery capabilities in the European financial sector.
-
Third-party ICT providers, including cloud service suppliers, will be regulated by one of the European Supervisory Authorities (ESAs), which may request information, issue recommendations and conduct inspections. They will also have the power to levy fines.
This standardised approach may result in the creation of a centralised EU body to facilitate incident reporting and management.
-
Financial services firms will also be required to assess and document potential risk that may come from associations with third-party ICT service providers
E-Crypto News:
- How will this impact the adoption of crypto, blockchain, and Web3 technologies?
Most regulation is a positive step for the adoption of crypto and web3 technology as it will eliminate a lot of fear amongst individuals and force companies to take their clients’ privacy more seriously.
I think the momentum of web3 has gone way beyond the point of no return, it will prevail, but it will continue to trip up until the technology catches up with cyber threats. I believe it will eventually iron out the inefficiencies and technology gaps that are plaguing the Web3 and crypto space at the moment.
Related: 5 Reasons Why the Cryptocurrency Adoption Rate is Slow
E-Crypto News:
-
What are the inherent risks that exist within financial service ecosystems?
We are still trying to mitigate web3 cybersecurity threats with outdated web 2 technology, some of this technology is 40 years old. You can’t play a decentralized game with centralized technology. In terms of safeguarding systems, we need a cyber security solution that addresses the new border-free world of web3.
A hacker can buy a malware software program on the dark web for as little as £1, and they steal an average of 75 records every second. However it’s not only hackers that pose a risk, bad actors on the inside of companies can also wreak havoc, and the poster child of this was SBF from FTX. The fintech environment by its nature tends to have flat management structures, where many employees have unprecedented access to sensitive information and systems.
This means that they can manipulate financial and technical processes for personal gain. By contrast, this would never happen in a traditional hierarchical financial services organization unless a large portion of the employees colluded. The safeguards in place are much more robust than in web3.
E-Crypto News:
- What have cybersecurity firms like Naoris Protocol done and are doing to mitigate these risks?
Naoris Protocol is building a solution that will go a long way in mitigating the current threats in near real time. It turns centralised computer networks with traditionally untrusted devices into a decentralised cybersecure mesh.
The protocol we are developing is designed to run in tandem with existing web2 and web3 security infrastructures to create an environment where there are no longer single points of failure.
Currently Backdoor [hacks], or logic bombs, (embedded sleeping malicious code) go under the radar because there isn’t a distributed, highly resilient cryptographic validation system of connected devices, that allows for the monitoring of running processes on critical systems.
E-Crypto News:
- How can new technologies enable the creation of trust within financial ecosystems?
So from an auditability perspective Naoris Protocol will enable regulators to ascertain if a company is following the standards imposed by DORA or not, and that could be to provide audited evidence after something happens or to provide real time Proof of State of Security during an event, this is a truly groundbreaking innovation.
This benefits not only the regulators, but the companies themselves, because they know that they can trust whatever they are seeing in the control centre. They will be able to manage risk across their own 3rd parties. This is currently impossible to do on a centralised system.
Through Naoris Protocol’s distributed trust system, we now have the capability to have a view of all machines, interrogating them at any point around the vast majority of controls that DORA requires.
It lets us know if there are vulnerabilities in the system, or if it has been interfered with in any way and it checks if best practices have been implemented. For example it will check if password policies have been integrated, if there’s adequate encryption and many other aspects that DORA requires.
All controls are validated and registered on the blockchain. So it’s like having an auditor in every machine all the time. It cannot lie. Every time you say or do something it’s populated by the whole infrastructure to be known to be true, using highly resilient principles.
That is only possible with a distributed platform and that’s what we offer. So the capability for regulators to actually regulate through our distributed protocol would actually be possible, for the first time ever.
Regulators will have full assurance and a resilient cryptographic backing of truth, of what every system and every company (that is regulated), is generating data wise, and the trust status of that data.
This is the next step in the evolution of regulation and we are more than happy to allow regulators to participate in the process and to not just review what we have for the benefit of regulatory principles, but also society as a whole.
I believe that Naoris Protocol, with our connections to academia, universities and others will be able to connect with regulators and decision makers and partner with them in the creation of a whole new paradigm of auditability capacity, so that we can actually see resilience in real time, with full trust, so operations can continue within complex systems.
E-Crypto News:
- Will decentralization be the way out for financial services? What are your thoughts about this?
Decentralisation brings transparency to all financial services industry operations. The prospect of decentralised validators and auditors is really important. Using some of the key principles of DLT and having access to the distributed ledger with immutable information and transactions, paves the way for unprecedented transparency and it will fight bureaucracy at the same time. For example, cutting down time and improving access to finance through decentralised loans (DeFi), or having a clean ledger for financial transactions in governmental organisations.
Related: Primary Challenges Of DeFi Every Consumer Must Know
E-Crypto News:
- How can financial firms remain ahead of hackers and other bad elements risk-wise?
Good security strategy starts with knowing the critical risks and vulnerabilities that exist within the business. Understanding which areas have the weakest links and how they could potentially be exploited is key, this is how a hacker thinks, so basically organisations have to think like hackers. They exploit the weakest links, and spend minimum resources to penetrate the complex networks.
Organisations should adopt a cyber awareness culture, where good security behaviour is rewarded and cyber intelligence sharing is actively practised through all departments and functions. Companies should have an incident response policy in place and regularly check their systems through pen testing, then harden their networks and implement technology tools.
E-Crypto News:
- What aspects of cybersecurity does the EU’s DORA fail to cover?
-
They have not set out a clear set of technical solutions which would make the financial sector compliant, nor have they explored leading edge decentraised solutions that address the myriad of devices that are potential points of access for hackers.
-
They could do more to promote cyber security culture and awareness. Given that over 90% of breaches are as a result of human error, this is an important aspect of the war against cyber threats.
-
It is going to be challenging for them to monitor and evaluate all organisations because they simply do not have the manpower to cover every eventuality. Just one organisation could have thousands of networks and partners spread all over the world.
-
There is still no clarity on the processes that will be employed to do the monitoring and evaluation, so this would need to be addressed as a matter of urgency.
E-Crypto News:
What services does Naoris Protocol offer? Please can you tell us about them?
Decentralized Cybersecurity mesh protecting the hardware and software infrastructure of businesses with threat mitigation in less than 1 second
-
Automated Security compliance checks and reporting
-
Enforcement of standards and security policies
-
Distributed ZeroTrust security Frameworks
-
Cybersecurity Trust application and implementation
-
Use cases include Financial Sector, IOT, Telco, Robotics
E-Crypto News:
As the global financial industry continues to go into chaos, what can be done to protect critical service infrastructure?
-
Create awareness that we are at a critical turning point with CyberSecurity
-
Fundamentally changing how we think about security, a reactive stance is not the way to go, there needs to be proactive, real time risk assessment and controls.
-
Regularly improve and iterate security testing of critical infrastructure
-
Train and develop more cyber security professionals, creating systems that encourage this
-
Create more enforceable laws to apprehend and punish cyber crime and intentional non compliance
E-Crypto News:
How do you think non-EU states will conform to DORA?
I believe that the EU has enough power and reputation to set a good example for the other countries. You can expect a similar response to what happened with GDPR and Data Privacy Shield. Similar legislation will follow the example of DORA as it is within everyone’s interests to have robust cyber security practices. It is only a matter of time before we see similar versions in other regions.
E-Crypto News:
What benefits does DORA bring to the table for financial services?
DORA is a much anticipated compliance framework which will bring standardisation across minimum-level security checks. These are needed to operate safely in a digital world and provide assurance to product users, investors and auditors.
We have to acknowledge that IT infrastructure, tools and services are evolving way faster than the legislation. Compliance and regulation disciplines require complex approval processes and management systems in the EU. Therefore DORA in its present form will be always considered a “bare minimum” solution and it will be up to the financial services sector to protect themselves against cyber threats.
E-Crypto News:
What are some of the unique solutions that can provide extra protections for financial service platforms? Can you give us some examples?
Re-establishing trust in untrusted environments, for example, using the strength of the whole infrastructure to prevent and harden the whole network against cybersecurity threats is one of the most innovative techniques.
Instead of building the fence higher we should turn every untrusted device, application or system into a strong, resilient, cyber defence node which will make networks safer as they grow, not weaker.
E-Crypto News:
Is there any role hardware security plays in securing financial services? Please can you elaborate on this?
Hardware devices and endpoints are a critical part of security resilience in the financial services arena. If you consider ATM`s or Point of Sale terminals, it is critical that the operating companies ensure they are able to manage and maintain them in the face of a threat. In theory every single store could be vulnerable to attack and this would have a direct impact on consumers.
If this kind of hardware becomes corrupted or hacked, or used for fraud after being tampered with, the most important interventions would be early detection and to prevent the hack from spreading.
This process could be achieved through distributed consensus Integrity and trust validations, which would share the cyber threat intelligence under a consensus mechanism through machine to machine communication.
E-Crypto News:
How far do you think hackers will go to penetrate financial service systems?
-
Hackers will leverage every opportunity they have, especially in the current environment of centralised cybersecurity systems
-
Never ending risks that are inherent in systems, cloud and endpoints, including 3rd parties are all points of failure.
-
The financial sector has the highest potential rewards for hackers therefore this sector is highly vulnerable
E-Crypto News:
How can financial service providers work to keep their systems secure?
The most important thing is to have consistency in their cybersecurity strategy and utilise agile frameworks to protect sensitive and complex environments. Using a decentralised cybersecurity mesh will integrate various components of the network infrastructure, endpoints, access control, applications, systems development security, cloud operations and supply chain into one comprehensive resilient environment, is a viable solution.
E-Crypto News:
What steps can people take to protect themselves from hackers?
-
Two factor authentication should be enabled on all devices and applications.
-
Create secondary accounts as backups.
-
Best practice with personal devices having at least one antivirus installed.
-
Follow your instincts – If something looks or feels suspicious it usually is.
-
If you are being pressured to pay for a service that feels suspicious, always stop and review, it probably is a fraud or a scam.
About Naoris Protocol
Naoris Protocol is the Decentralised CyberSecurity Mesh for the hyper-connected world. Our disruptive design pattern makes networks safer as they grow, not weaker, by turning each connected device into a trusted validator node. A robust Blockchain protocol that every company can use to protect against the escalating levels of cyber threat.
Devices are rewarded for trusted behavior, fostering a secure environment. Participants earn $CYBER staking rewards for securing the network.
The more users, businesses, and governance structures that use the Decentralised Cyberecure Mesh, creating networks of networks, the stronger and more secure it becomes.
