Listen to this Post
2025-01-16
The financial services sector is undergoing a seismic shift as organizations scramble to comply with the European Union’s Digital Operational Resilience Act (DORA) and the UK’s Prudential Regulation Authority (PRA) requirements. According to a recent study by Rubrik Zero Labs, the cost of compliance has already exceeded €1 million ($1.02 million) for nearly half of the organizations surveyed in the UK and EU over the past two years. With the January 17, 2025, deadline looming, the pressure is mounting for financial institutions to implement robust ICT risk management frameworks. But the financial burden is only one part of the story—compliance is also taking a significant toll on the mental health and job satisfaction of Chief Information Security Officers (CISOs).
The Financial Burden of Compliance
Rubrik Zero Labs’ research, which surveyed 350 CISOs from financial and banking firms with at least 500 employees, revealed that 47% of UK organizations and 38% of EU organizations spent over €1 million on compliance efforts. An additional 28% in the UK and 30% in the EU reported expenditures between €501,000 and €1 million. For larger financial institutions, these costs can skyrocket into the tens of millions.
James Hughes, VP of Solutions Engineering and Enterprise CTO at Rubrik, explained that these figures are not surprising given the scale of the task. Compliance requires significant investments in technology, specialized personnel, and rigorous testing to ensure systems meet the new standards. “Especially on the human side, if you need to bring in specialists to implement these rules, get reports in the right shape, and rehearse and prove that technology works, that’s where a lot of the costs come in,” Hughes noted.
The Human Toll of Compliance
Beyond the financial impact, the study highlighted the human cost of compliance. A staggering 79% of CISOs reported that the pressure to comply with DORA and PRA regulations has negatively impacted their mental health. Sixty percent said the regulations have added significant pressure to their roles, while 23% admitted they have considered leaving the financial sector for a less regulated industry.
Ransomware: A Persistent Threat
Ransomware remains a top concern for CISOs, with 46% of UK respondents and 33% of EU respondents citing it as the biggest threat to their organizations. For companies with more than 2,500 employees, this figure jumps to 57%. Hughes emphasized the importance of preparedness, stating, “If you’re not prepared for it and you’ve got your whole business down, you don’t know what to do… things go dark pretty quickly because it just descends into panic.”
DORA addresses third-party risks by requiring financial entities to conduct thorough due diligence and continuous monitoring of their ICT service providers. However, the complexity of modern software supply chains and the rise of third-party compromises (cited by 20% of CISOs) add another layer of challenge.
A Shift Toward Resilience
Hughes stressed that the key to navigating these challenges lies in adopting a mindset of resilience rather than relying solely on prevention. “You have to rehearse it continuously, and it has to be part of the culture and the way we operate and control risk,” he said.
As the 2025 deadline approaches, financial institutions must balance the financial and human costs of compliance while building systems that can withstand the evolving threat landscape.
—
What Undercode Say:
The findings from Rubrik Zero Labs underscore a critical reality for the financial services sector: compliance with regulations like DORA and PRA is not just a financial challenge but a cultural and operational one. Here’s a deeper analysis of what these findings mean for the industry:
The Rising Cost of Compliance
The €1 million price tag for compliance is a stark reminder of the resources required to meet modern regulatory standards. For larger organizations, these costs can escalate dramatically, potentially diverting funds from other critical areas like innovation or customer experience. However, this investment is non-negotiable in an era where cyber threats are becoming increasingly sophisticated.
The need for specialized personnel and advanced technology highlights a growing skills gap in the cybersecurity industry. Organizations must either invest in training their existing workforce or compete for a limited pool of experts, further driving up costs.
Mental Health and Retention Challenges
The mental health toll on CISOs is alarming. With 79% reporting negative impacts, it’s clear that the pressure to comply with DORA and PRA is unsustainable for many. This raises questions about the long-term retention of cybersecurity talent in the financial sector. If nearly a quarter of CISOs are considering leaving for less regulated industries, financial institutions must rethink how they support their cybersecurity leaders.
Ransomware and Third-Party Risks
The persistent threat of ransomware underscores the importance of resilience. While prevention tools like firewalls are essential, they are not foolproof. Organizations must prioritize incident response planning and regular testing to ensure they can recover quickly from attacks.
DORA’s focus on third-party risks is timely, given the increasing reliance on external vendors and software supply chains. However, continuous monitoring and due diligence require significant resources, adding to the compliance burden.
A Cultural Shift Toward Resilience
Hughes’ emphasis on resilience over prevention is a paradigm shift for the industry. It reflects the reality that cyberattacks are inevitable, and the focus must be on minimizing damage and downtime. This requires not only technological solutions but also a cultural shift where resilience becomes embedded in everyday operations.
The Road Ahead
As the 2025 deadline approaches, financial institutions must act swiftly to address these challenges. This includes:
1. Investing in Technology and Talent: Allocating sufficient resources to meet compliance requirements while addressing the skills gap.
2. Supporting CISOs: Providing mental health resources and reducing the pressure on cybersecurity leaders.
3. Building Resilience: Prioritizing incident response planning and regular testing to ensure preparedness for cyberattacks.
4. Strengthening Third-Party Relationships: Implementing robust due diligence and monitoring processes to mitigate third-party risks.
In conclusion, compliance with DORA and PRA is a complex and costly endeavor, but it is also an opportunity for financial institutions to strengthen their cybersecurity posture and build a culture of resilience. The road ahead is challenging, but with the right strategies, organizations can turn compliance into a competitive advantage.
References:
Reported By: Infosecurity-magazine.com
https://www.linkedin.com
Wikipedia: https://www.wikipedia.org
Undercode AI: https://ai.undercodetesting.com
Image Source:
OpenAI: https://craiyon.com
Undercode AI DI v2: https://ai.undercode.help
