financial sector - PATECCO GmbH

How PATECCO Supports Digital Operational Resilience in the Financial Sector: Expert-Interview with PATECCO’s special advisor Albert Harz

With the rapid digital transformation of the financial sector, operational resilience is no longer optional – it’s mission-critical. With the rise of cyber threats, complex regulatory requirements, and heightened reliance on Information and Communication Technology, financial institutions must ensure continuity, integrity, and security across all services and systems. To provide deeper insight into this critical issue Dr. Ina Nikolova sat down with Albert Harz who is PATECCO’s special advisor and ISO 27001 Lead Auditor, to discuss what digital operational resilience means under the new EU regulatory landscape and how financial institutions can prepare to meet these evolving demands. His expertise provides practical guidance on the scope, responsibilities, and key challenges introduced by the Digital Operational Resilience Act (DORA). Ina: Albert: Digital operational resilience refers to the ability of a financial entity to maintain its operational integrity and reliability, even in the face of ICT risks such as cyber threats or even a cyber-attack. This entails guaranteeing the quality and security of the information and network systems used to provide financial services, even in the event of disruptions. It involves having the ICT-related skills required to handle possible problems either directly or through outside service providers in order to guarantee the ongoing availability of financial services. Ina: Albert: The financial industry relies heavily on information and communication technology (ICT) to support daily operations and complex structures. ICT risk is greatly increased by growing digitization and connectivity, which makes the financial system especially vulnerable to cyberattacks and ICT disruptions. Financial organizations, particularly those that operate internationally, face difficulties in effectively managing ICT risk and reducing the effects of incidents due to gaps, overlaps, and inconsistencies in the Union’s current regulations. Maintaining the integrity and stability of the financial industry as well as the ongoing operation of the internal market depend heavily on ensuring digital operational resilience. Ina: Albert: The regulation applies to a wide range of financial entities. This includes, but is not limited to, credit institutions, payment institutions, electronic money institutions, investment firms, crypto-asset service providers, insurance and reinsurance undertakings, credit rating agencies, and crowdfunding service providers. Importantly, it also applies to ICT third-party service providers that supply services to these financial entities. Ina: Albert: A complete and documented ICT risk management framework must be established and maintained by financial entities. Mechanisms and steps for effectively and understandably managing ICT risk as well as safeguarding infrastructure and physical components should be part of this framework. In order to reduce the impact of ICT risk, entities must constantly monitor the security and functionality of all ICT systems, use robust tools and systems, and periodically review and update their risk scenarios. Additionally, they must keep track of and update inventories of relevant ICT assets on a regular basis. Ina: Albert: The regulation mandates a coordinated testing regime for digital operational resilience. All ICT systems and applications supporting critical or important functions must undergo appropriate testing at least once a year, according to financial entities other than micro-enterprises. These tests may consist of scenario-based testing, penetration testing, vulnerability assessments, and more. Additionally, at least every three years, specific financial entities that have been identified must perform advanced testing that simulates actual cyberthreats using threat-led penetration testing (TLPT). Ina: Albert: The regulation establishes a framework for managing ICT third-party risk. A strategy on ICT third-party risk, including a policy on the use of ICT services to support critical or important functions, must be adopted and reviewed on a regular basis by financial entities. They are required to keep a record of the terms of their contracts with these suppliers. In order to address possible systemic risks resulting from concentration and dependencies, the regulation also establishes an oversight framework for critical ICT third-party service providers. Contractual arrangements with critical or important functions must include specific elements to ensure oversight and resilience, including exit strategies. Ina: Albert: The Oversight Framework is a mechanism for continuous monitoring of the activities of ICT third-party service providers that are deemed critical to financial entities. Through the Joint Committee, the European Supervisory Authorities (ESAs) identify critical ICT third-party service providers according to standards pertaining to their degree of substitutability, systemic impact, and the significance of the financial entities they serve. For each designated critical provider, a Lead Overseer is assigned to carry out evaluations and offer suggestions regarding ICT risk mitigation and management. The objective of this framework is to guarantee the stability and integrity of the Union financial system while addressing the systemic effects of ICT third-party concentration risk. Ina: Albert: For violations of the rule, competent authorities have the authority to administer administrative fines and corrective actions. The degree of responsibility, the entity’s financial stability, the materiality and severity of the breach, and any prior breaches are some of the factors that determine the kind and extent of these measures. Violations of national laws may also result in criminal penalties for member states. If critical ICT third-party service providers disregard the Lead Overseer’s recommendations, they may also be subject to penalty payments. Ina: Albert: Thank you, Ina, for having me. Key Takeaways At PATECCO, we understand that digital operational resilience is not just about compliance – it’s about securing trust, stability, and long-term value for both financial institutions and their clients. With deep expertise in IAM, governance, and regulatory frameworks, we help organizations not only meet the technical demands of DORA, but also implement sustainable security strategies that strengthen business resilience. Stay tuned as we continue to share insights, success stories, and best practices on securing digital transformation in the financial sector. If your organization is seeking a reliable IAM partner with the capability to act decisively and scale effectively, feel free to reach us out at info@patecco.com or call +49 (0) 23 23 – 9 87 97 96 .

DORA Regulation as an important step towards strengthening digital resilience

Uncategorized / Von Ina Nikolova

In the context of increasing cyber threats, strict adherence to and implementation of corresponding compliance regulations is becoming increasingly important. As providers of critical infrastructure, it is particularly important for financial organisations to prevent IT outages and security incidents in order to ensure business continuity. With the Digital Operational Resilience Act (DORA), the EU has issued a set of regulations to ensure digital operational stability and prevent systemic risks in the financial sector. The new requirements harmonise and tighten the existing regulatory requirements for ICT management and interfere with IT operations and outsourcing to third parties. At the same time, the verification and reporting obligations are increasing, which means a considerable amount of additional work. Which organisations are affected? DORA affects a large number of organisations in the financial sector. These include not only banks and insurance companies, which are already familiar with such regulations through the EBA/EIOPA guidelines on ICT security and outsourcing, but also trading venues, occupational pension schemes, providers of crypto services, insurance intermediaries and many other financial companies. The categorisation of the service is important for ICT providers, including cloud service providers, in the financial sector. If the services provided are considered „critical“ for financial organisations, the scope of DORA is applied directly to the ICT provider. This requires compliance with high security standards to ensure the resilience of the financial market. In addition, some of these large ICT providers fall directly within the supervisory framework. Where should business leaders start? To successfully fulfil the requirements of DORA, a proactive approach is crucial. Companies should carry out a comprehensive analysis promptly in order to identify and prioritise the necessary measures. Close collaboration between IT and business units is essential. The implementation and operation of the measures require continuous monitoring and regular adjustments. The support of external experts can speed up the process and ensure that all requirements are met on time. Furthermore, it is important that companies not only fulfil the regulatory requirements, but also establish a culture of cyber security throughout the entire company. Awareness-raising and training for managers, key roles and all other employees are therefore essential to strengthen digital resilience at all levels. DORA requires further development of the risk management system The implementation of the Digital Operational Resilience Act (DORA), which will be mandatory from 2025, requires a comprehensive review and further development of various aspects of the risk management system. This includes in particular: Implement DORA with the help of PATECCO’s Risk-OptimAIzer Risk management is nothing new, but the risk view must be extended to the corporate ecosystem. In other words, the risks that exist or arise for the company through the procurement of services must be factored in. For this purpose, we have developed a tool to implement the requirements of DORA at PATECCO. The new tool Risk-OptimAIzer is able to perform the following functions: PATECCO can help your company implement the DORA requirement by setting up a comprehensible IT risk management system. As a first step we create a GAP analysis of the status of your risk management in comparison to the DORA requirements and based on the results, we create a customised implementation offer. By leveraging Risk-OptimAIzer, organizations can establish a structured approach to IT risk management that aligns with DORA regulations. The tool enables organizations to assess, monitor, and mitigate risks effectively, while also ensuring compliance with regulatory requirements and driving continuous improvement in software delivery performance. The DORA Regulation is an important step towards strengthening digital resilience in the financial sector. Cybercrime remains a constantly growing threat, regardless of DORA, which is why sustainable and cyclical cybersecurity planning is necessary. With an early and strategic approach, companies can strengthen their digital resilience and effectively protect themselves against cyberattacks. The implementation of DORA should not be seen as an obligation, but as an opportunity to sustainably strengthen security and resilience to digital risks.

Important reasons why financial institutions need Identity & Access Management

Uncategorized / Von Ina Nikolova

The financial sector is undergoing a radical change. Transactions are no longer carried out over the counter in branches; both customers and advisors want to have access to information and applications from anywhere and at any time. To ensure that user administration still fulfils the highest security requirements, banks need modern Identity & Access Management solutions that can also flexibly implement regulatory requirements. Well-designed solutions for Identity & Access Management significantly increase the level of security in all financial operations. IAM also offers other advantages that financial institutions should not do without. 1) SoD – improves the security situation The functional separation of demarcated activities in IT systems (Segragation of Duties – SoD) is one of many components of a well-designed IAM system to prevent such enormous damage. In addition to such prominent individual cases, cybercrime has posed an enormous threat to companies since the start of the coronavirus pandemic due to people working from home. Three out of four companies are victims of data theft or sabotage. In most cases, the perpetrators are (intentionally or unintentionally) current or former employees, meaning that a company’s own employees pose the greatest cyber risk. Company-wide guidelines and processes for user and authorization management contribute significantly to (internal) error prevention at this point. A well-structured IAM system ensures that only those employees have access to IT systems who are authorized to do so at the relevant time by the manager and the respective functional or technical managers of the IT systems. In addition to access control for normal user authorizations, particularly powerful authorizations (e.g. emergency access or so-called super users) should be controlled separately. With such authorizations, users can, for example, change parameter settings or bypass predefined release workflows. Such authorizations should therefore only be granted in emergency situations. This is where Privileged Access Management (PAM), which should be linked to the central IAM system in the company, provides the right tool. 2) Improves the end-user experience Complex, manual application processes for access rights in companies lead to long waiting times, employees need long start-up times to be able to work. For each system you have different user IDs and in the best case a password that is not easy to guess and therefore difficult to remember. This is precisely why many people associate IAM with annoying, time-consuming activities. A standardized and consistent IAM system ensures short application paths, automatic assignment and fast work in the target systems. Thanks to integrated and intelligent authentication using single sign-on (SSO), users can log into the target systems easily and securely. The advantages of such authentication services are obvious: they make it much easier to establish new customer relationships, as you only have to authenticate yourself once with the identity service. Integrated two-factor authentication also ensures a high standard of security. Identity management gives companies the opportunity to improve their digital customer relationships and gain trust in terms of data security. 3) Ensures compliance Banks and financial institutions are subject to various regulatory requirements, guidelines and standards such as BAIT, VAIT, ISO 27001 and GDPR. The attention paid to IT security by auditing bodies (banking supervisory authorities and auditors) has increased significantly in recent years and the rules have become dramatically stricter. The processes adhered to in the IAM system cover central governance requirements, such as the need-to-know principle or compliance with approval and control processes. Compliance can also be monitored with the help of logging and evaluation options. In addition to formal adherence to compliance, there are also beneficial „side effects“: system managers automatically start to think more about access rights and structures as a result of IAM processes. Internal IT compliance audits lead to significantly fewer findings and the work of internal and external auditors is made much easier. IAM thus makes a valuable contribution to the fulfillment of the compliance function in companies and should therefore not be neglected by those responsible in compliance departments (not only in banks and insurance companies). 4) Drives Efficiency In modern IAM systems, the associated processes are automated and run in real time. Manual control loops and human monitoring are therefore a thing of the past. Particularly in large and rapidly growing organisations, the IT landscape quickly becomes confusing and manual process steps become a cost trap. IAM automates the steps that were previously carried out manually and provides a framework that channels the authorisation management activities to be carried out. The massive reduction in manual activities not only relieves the burden on employees, but also saves considerable costs in the long term. IAM is also a key driver for the digitalisation of business processes in companies and therefore forms the basis for the digital transformation already underway in so many companies. An intelligent IAM system that is designed with the end user in mind can also reduce the workload for IT help desks by providing self-service options for users. 5) Boosts agility The profoundly advancing digitalisation in the financial sector requires the consistent application of agile methods and the expansion of digital capabilities, particularly in IT departments. Modern IAM solutions fit very well into existing IT processes and enable an agile approach. The ongoing transformation of IT applications into the cloud is optimally supported by an IAM. With a hybrid IAM model, any IT systems, whether in the cloud or on-premise, can be connected quickly and in a highly automated manner. Modern software developments, apps and enterprise web applications can also be connected to the company’s central IAM in an agile setting, ensuring consistent and secure access to all systems in the company. The introduction of IAM solutions realises many benefits for companies. With IAM, enormous fraud and damage incidents are reduced. Appropriate controls for access management are provided and all (regulatory) standard workflows are highly automated. IAM gives companies full transparency of user access to their systems at all times, significantly reducing manual process steps and waiting times in the provision of user access.