DORA and Аrtificial Intelligence on the horizon in Bulgaria
03 April 2024
•
4 minutes read
Globally in 2024 the focus on cybersecurity in the financial sector continues to grow. As the number, value and complexity of attacks increase, so do the needs of the industry. If we had to point out the two main highlights for the year, they would be: on the one hand, the introduction of the new European DORA regulation, and on the other hand, artificial intelligence with all the opportunities and threats it reveals on the cyber horizon. This is what Boris Goncharov, Chief Visionary Officer of the cybersecurity company AMATAS and part of the Advisory Board of the DIGIPAY conference in 2024, commented on the DIGIPAY blog.
Introduction of the European DORA Regulation
The European regulation for digital operational resilience (Digital Operational Resilience Act), which became better known by the abbreviation DORA, entered into force on January 16, 2023 and will apply to a wide range of financial institutions from January 17, 2025.
Objectives of DORA
In short, it aims to protect Europe's financial stability, ensure that everyone's financial data is protected by default and prevent the growth of cybercrime in the sector.
Key Areas of Control Under DORA
The directive defines uniform requirements and standards regarding the security of network and information systems maintained by all financial businesses that manage a large volume of data - banks, insurers, fintech and crypto companies, etc. DORA differs from other similar regulations in that, for the first time, it introduces a single framework for operational sustainability and supervision for financial organizations throughout the European Union. It will carry out control in five areas:
- Risk Management
- Reporting of incidents related to information and communication technologies (ICT)
- Carrying out regular information security tests
- Disclosure of information about potential threats (threat intelligence)
- Information about risk third parties and providers of information and communication technologies
Challenges and Implications of DORA
The regulation will definitely create a more sustainable and secure digital environment for financial companies, but it can also cause them serious material and image troubles if it is neglected. Along those lines, it's good to note that businesses that are just starting to plan for the practical implementation of DORA's requirements are late.
Expanded Scope of DORA
“Here again, the main problem is that regulation has a universal and mandatory scope that goes beyond the 'traditional' boundaries of the financial industry. The expanded scope affects a wide range of actors in the financial sector, including insurance and reinsurance companies, investment funds, management companies, fintech companies, as well as crypto service providers, Expert Boris Goncharov commented that some of these companies are encountering such complex regulations focused on information security for the first time.
Preparation and Implementation Challenges
According to him, businesses are not yet fully prepared in terms of processes, organizational structure, technological measures, and expertise
"It is not about the formal signing of some documents, but about complex measures that must be implemented and maintained. This involves changing infrastructure, revising and adapting multiple processes, creating new structures and teams, and building competencies. And the financial sanctions for non-fulfilment are significant, adds Mr. Goncharov.
Transposition into Bulgarian Legislation
Later in the year, it is expected that the requirements of the Regulation will be transposed into the Bulgarian legislation, as this is not yet a fact, but it has nothing to do with the preparation of financial organizations.
Importance of Real Implementation
„Най-важното е бизнесът да успее реално да приложи новите изисквания, за да бъде по-устойчив на кибер заплахи, не защото така трябва, а защото това може да донесе повече възможности и реални ползи за него“. The topic of artificial intelligence gives us another opportunity to consider the strategic importance of information security. According to Boris Goncharov, artificial intelligence will continue to be deployed in the technological and financial sectors, thereby challenging traditional security paradigms.
AI and Cybersecurity Risks
"In the development of technologies, we follow the invariable tendency to exalt ourselves by the possibilities, without thinking about the risks and the inevitable consequences. After all, artificial intelligence opens up "wonderful" new horizons for both individuals and groups who have different understandings of ethical and criminal", explains the AMATAS expert.
Offensive AI Capabilities
It is the deployment of offensive AI capabilities, in the direction of social engineering, malware and exploit development, vulnerability discovery, deepfake, disinformation, that will exacerbate the long-standing challenges of cyber resilience, which ironically is something that DORA is trying to address .
Of course, these are just a few of the many possible risks AI poses to businesses, and the financial sector is in the eye of the storm because of the high stakes and concentration of data and assets. Therefore, the message of AMATAS to all of you is short and clear - be prepared.