The outages and disruptions impacting the financial sector this month serve as stern reminders about vulnerabilities linked to tech reliance. Regulations such as DORA, however, show a certain maturity to pre-empt such problems, experts say.
This August has seen its fair share of tech disruptions, with online brokerages like Fidelity Investments and Charles Schwab being impacted on what Reuters called an already “frenetic trading day”. Users were unable to view, let alone manage, their positions, although the issues were resolved on the same day.
Meanwhile, the faulty CrowdStrike update on 19 July caused a historic outage for millions of Microsoft users—another reminder about tech-related susceptibilities. An analysis by Parametrix estimated that the direct financial losses to U.S. Fortune 500 companies, excluding Microsoft, as a result of the outage were $5.4 billion, with the healthcare and banking sectors being particularly hard hit, at around $1.9 billion and $1.1 billion, respectively.
On the day of the outage, Luxembourg’s financial watchdog, the Commission de Surveillance du Secteur Financier, or CSSF, issued a statement, reminding “Luxembourg-domiciled investment managers and undertakings for collective investment (UCI) as well as all entities involved in the operation of these entities to duly assess the impacts of this IT outage and to take all the appropriate actions in order to ensure the ongoing functioning of the UCIs.”
It also pointed to a technical report issued by CIRCL, the Computer Incident Center Luxembourg, hosted by the Luxembourg House of Cybersecurity, or LHC. CIRCL regularly documents, reports on, and responds to such issues, serving as what it calls “a fire brigade” with regards to cyber threats.
Robust cyber ecosystem
In a recent interview with Investment Officer, LHC founder and CEO Pascal Steichen pointed to some of Luxembourg’s rankings in cybersecurity. The Global Security Index, for instance, rates the Grand Duchy eleventh globally, seventh in Europe, for its cybersecurity commitment.
“For such a small country, it’s quite good,” Steichen explained. “The development of the financial sector over the past decades—because of the high sensitivity of the sector, around data privacy and security—made it possible that quite a big cybersecurity ecosystem has developed in Luxembourg.”
There are more than 320 companies operating in cybersecurity-related services, and Steichen also noted public authorities’ long-term commitment to the sector, with the first national cybersecurity strategy having been released in 2012. And, although the CrowdStrike update was not linked to malicious intrusions, “what is a bit concerning, and it’s not directly linked, is that in the recent year or two, we’ve seen more and more attacks but also other type of issues of security products themselves, since they use more AI and automation.” Steichen added that VPN attacks, for instance, have become more frequent.
Meanwhile, players like the LHC also have an eye on future threats, such as quantum computing. “The algorithms today are based on certain mathematical procedures that are very difficult to process with traditional computers but are very easy to process with quantum computers,” the CEO added.
Even if the EU’s Digital Operational Resilience Act, or DORA—applicable as of 17 January 2025—is not the first text to touch on cyber vulnerabilities in the financial sector, according to Steichen, “If you’ve been in the sector for some time, you see there is maturity in this text.” Its focus isn’t just on technology or those third-party IT companies; rather DORA “brings up more procedural elements”, aspects related to clear processes and business continuity, reporting and communication, organisation and governance, etc.
Strengthening of governance
Similar sentiments were echoed by Arendt’s Marc Mouton and Yann Fihey. As Mouton, partner in the banking & financial services practice, pointed out, the CSSF already imposes high standards, and financial players like banks, payment institutions and investment firms are subject to wide-reaching requirements.
But he referred to “important nuances” when it comes to DORA, like the strengthening of governance and procedures, extending incident reporting and having proper, documented framework. “There’s a clear message from the regulators, in particular the CSSF, not to rely too much on the existing arrangements but really to analyze in detail the gaps and upgrades that have to be done,” Mouton said.
Fihey, partner and member of the management committee of Arendt Regulatory & Consulting, pointed out that the Crowdstrike/Microsoft issue showcases not only how systems are increasingly integrated and how one bug can cause a “snowball or domino effect”, but reinforces the importance of risk management. “There is a kind of risk-based approach that is required in the mindset of DORA,” he added.
Among the DORA-related client services in demand at Arendt, are gap analyses to determine such risks, advice on closing such gaps, as well as IT security as a service. And risks for non-compliance can be costly: Mouton pointed out that administrative fines for companies can be up to €5 million, or 10% of total annual turnover on a consolidated basis.
While the policies, procedures, contract negotiations, etc., behind DORA can indeed take time, Fihey pointed out that impacts on systems can be particularly complex: “In case the analysis you made reveals that you have some vulnerabilities on one system or another, and you need to have a backup solution or workaround to offset the risk of unavailability of the system, this can be quite long to implement from a technical perspective.”
Meanwhile, this week the CSSF launched a 10-question DORA readiness survey which it will invite applicable entities to take part in. The survey aims to assess the market’s DORA readiness and challenges, as well as to raise more awareness to encourage companies to be prepared.