October 25, 2024 • 8 mins
What if a simple app failure could trigger chaos across the financial world? Explore the vital safeguards of Europe's Digital Operational Resilience Act (DORA) with host Gabe Gumbs on Privacy Please. This episode goes into how DORA is transforming digital infrastructure to withstand the onslaught of cyber threats like ransomware, ensuring that your access to financial services remains seamless and uninterrupted. From banks to tech providers, discover the global ripple effects of this European regulation that extends its reach to American firms intertwined with the EU financial sector.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Welcome to another episode of Privacy Pleased,
where we break down complicatedtech stuff into bits everyone
can understand.
I'm your host, gabe Gumbs, andtoday we're talking about
something pretty important.
Dora no, not the Explorer.
We're talking about Europe'snew Digital Operation Resiliency
Act.
Now I know what you're thinkingGreat, another boring
(00:28):
regulation.
Those Europeans sure do liketheir digital regulation with
their GDPR.
Now, stick with me, just hangin there, right?
Because this one's actuallypretty interesting.
So let me start with just a realeasy question.
You ever try, using yourbanking application, logging in
phone, online.
Whatever wasn't working.
Yeah, pretty frustrating, right?
How long would it take for panicto set in if enough people were
(00:48):
affected?
What do you think?
30 minutes an hour, two days?
Now think about outages causedby things like ransomware.
22 days, that's the average.
What would that do to criticalinfrastructure like banks?
Well, that's exactly what Doaris trying to prevent.
Think of it as a rule book thatmakes sure banks and financial
(01:09):
companies they keep theircomputer systems super durable
and reliable.
Again, ransomware an absoluteplague on society, and its
number one impact isavailability.
Taking your business offline isthe leverage to make sure you
pay up.
Banks are getting attacked morethan ever before, and almost
everything we do with our cashthese days is online, right?
(01:30):
Some cash banks, we say back inBrooklyn, whether you're paying
your bills, checking youraccounts, sending money, just
all of our I don't even knowwhen's the last time you've held
a significant amount of actualcash in your hand.
I think for most of us that'snot really a thing.
I don't really walk around witha lot of actual cash.
It's all digital these days.
(01:51):
It's all being done throughcomputers and I think most of us
are very comfortable with that.
I think most of us arecomfortable that if the systems
have an issue, that the bankswill resolve it.
But Dora goes further than that.
Dora is meant to make sure thatthe systems are always there,
always available, that youalways can have access to your
money.
So if a bank's computers crashor get hacked, it's not just
(02:13):
annoying, that's going to be adisaster for a lot of people.
Now here's where it gets extrainteresting, right?
So since DORA is a Europeanrule, you might think it only
affects European countries,european companies.
But not too dissimilar at allfrom GDPR.
That arm is pretty large.
Europe is a significant part ofthe global economy, as much as
(02:34):
the global banking system, andso here's the scoop.
So, first off, in Europe, itaffects all banks, that's right,
all banks.
It affects all insurancecompanies.
It affects all banks, that'sright, all banks.
It affects all insurancecompanies, all investment firms
and any companies that providetechnology services to those
financial companies.
So if you provide technologyservices to a bank, an insurance
(03:06):
company, investment firm in theEU and it is part of that
critical infrastructure, thatmeans that door is going to
affect you as well.
It's interesting too, though,right?
So a little bit of a twist, itaffects a lot of American
companies in that way.
And so if you're an Americanbank with offices in Europe, yep
, those offices, they're goingto need a follow door.
If you're an American techcompany helping European banks
with their computer systems, gotit.
You gotta follow Dora too,right?
And so it's got a pretty widereach.
(03:28):
And the next obvious question iswell, what in the world do I
need to do to make sure I'mcompliant with Dora?
And there's?
This is very much just anintroduction to the topic, so
you know, for more detailedprescriptive information we'll
get into that in some futureepisodes We'll bring some guests
on.
We wanted to just get thattopic out there.
(03:48):
So there's really four mainrules that companies need to
follow.
The first one is you got tofind and fix your problems early
.
Pretty straightforward, right.
So prioritization of the issuesthat affect that operational
resilience of your systems Hell,even better if those systems
self-heal themselves, right,like great Problem found and
fixed all on its own.
(04:09):
You got to report thoseproblems quickly.
That's the second big rule.
So the first big rule is yougot to find and fix those
problems.
Second one is you got to reportthose problems quickly.
So if something goes wrong, youhave to tell the authorities
right away.
No keeping secrets.
A lot of times when breachesoccur, it could be weeks, it
could be months before thatinformation is shared while
they're doing air quotes.
(04:30):
Root cause analysis, right?
Well, when there's anoperational outage, when
something's out, that knowledgeis immediate, like everyone
knows it.
When a business gets hacked,everyone might not know it.
It might be weeks or monthsbefore you even knew that.
You know company A or B orwhatever.
It might only be when you getthat notice in the mail saying
hey, your data was leaked, thatyou even knew that that company
(04:52):
was hacked.
But when your bank is unable,when you aren't able to log into
it, everyone knows that.
So you've got to report rightaway what's going on, and no
more of this.
We'll tell you once we think weknow all the things right.
Third rule we covered this alittle bit already, but you've
got to make sure that yourpartners are safe.
(05:12):
So if your suppliers are partof your critical operations,
they're going to need to bechecked as well.
And then, number four, you'vegot to practice emergency plans.
Practice them.
I love that.
That's part of the regulation.
So, a, you're going to need abusiness continuity and disaster
recovery plan God forbid.
If you don't already have one,you're going to need one.
And B, you're not just going tohave to have it, you're going
(05:33):
to have to test it, just likefire drills at school, you're
going to have to practicehandling these emergencies.
You have to be prepared forwhen it happens.
It should go without sayingthat just having a response
playbook that you've never onceexercised is not going to serve
a lot of value if the first timeyou try to go through these
(05:55):
exercises is during a live fireexercise, during when it's
actually happening to you.
But here's some otherinteresting things, right?
So some American companies arechoosing to follow those rules,
even if they don't have to, evenif they're not within scope.
It might just be that theyrecognize the good hygiene for
what it is, which, quitehonestly, it literally is.
But let's be honest, we're notthat far off from these rules
(06:20):
hitting our shore in the exactsame way.
They are there and around us toa large degree, because
American banking infrastructurehas already been deemed critical
infrastructure, but we don'thave a federal regulation like
Dora.
It's not at the federal level,right?
You've got things like NYCR 500out of New York that has some
(06:40):
provisions around things likethis.
It's mostly focused on security, though, but again, I would
always argue that security beingthe combination of
confidentiality, integrity andavailability, that those types
of things should have alreadybeen codified into both what we
do and to the technologies webuild and into the rules that we
follow.
(07:02):
But companies might want tofollow DORA, if one.
If you want to work with otherEuropean companies someday, then
you're going to want to followDORA.
It's going to become similar toSOC 2 processes, where you have
to demonstrate your securitycapabilities.
You're going to have todemonstrate your resiliency
capabilities as well.
If you have partners andcustomers in Europe, yeah, you
(07:23):
might want to follow DORA.
If you just want to staycompetitive globally, you're
probably going to want to followDORA, even if you're outside of
Scud, right?
Or if, again, you're justsimply looking for good security
practice.
So DORA was officially adoptedback in November 2022.
I don't think we talked about itmuch on this show Maybe not at
all, if I'm being transparentand so it's been a couple of
(07:47):
years for folks to prepare butit goes into effect on January
17th 2025.
So not that long from now, andby that date, all entities
within scope of DORA, includingfinancial institutions and
critical third parties operatingin the EU, are going to have to
be fully compliant with itsrequirements.
Now, there it is.
(08:07):
There you have it, folks.
Dora might sound complicated,but it's really just about
making financial systemsunbreakable and, whether you're
in Europe, america or anywhereelse, these rules are really
going to help shape the futureof everyone's digital currency.
That's all for today's episodeof Privacy, please.
Please, remember to like,subscribe and share if you found
(08:27):
this helpful.
Until next time, gabe Gumbs.
Welcome to another episode of Privacy Pleased,
where we break down complicatedtech stuff into bits everyone
can understand.
I'm your host, gabe Gumbs, andtoday we're talking about
something pretty important.
Dora no, not the Explorer.
We're talking about Europe'snew Digital Operation Resiliency
Act.
Now I know what you're thinkingGreat, another boring
(00:28):
regulation.
Those Europeans sure do liketheir digital regulation with
their GDPR.
Now, stick with me, just hangin there, right?
Because this one's actuallypretty interesting.
So let me start with just a realeasy question.
You ever try, using yourbanking application, logging in
phone, online.
Whatever wasn't working.
Yeah, pretty frustrating, right?
How long would it take for panicto set in if enough people were
(00:48):
affected?
What do you think?
30 minutes an hour, two days?
Now think about outages causedby things like ransomware.
22 days, that's the average.
What would that do to criticalinfrastructure like banks?
Well, that's exactly what Doaris trying to prevent.
Think of it as a rule book thatmakes sure banks and financial
(01:09):
companies they keep theircomputer systems super durable
and reliable.
Again, ransomware an absoluteplague on society, and its
number one impact isavailability.
Taking your business offline isthe leverage to make sure you
pay up.
Banks are getting attacked morethan ever before, and almost
everything we do with our cashthese days is online, right?
(01:30):
Some cash banks, we say back inBrooklyn, whether you're paying
your bills, checking youraccounts, sending money, just
all of our I don't even knowwhen's the last time you've held
a significant amount of actualcash in your hand.
I think for most of us that'snot really a thing.
I don't really walk around witha lot of actual cash.
It's all digital these days.
(01:51):
It's all being done throughcomputers and I think most of us
are very comfortable with that.
I think most of us arecomfortable that if the systems
have an issue, that the bankswill resolve it.
But Dora goes further than that.
Dora is meant to make sure thatthe systems are always there,
always available, that youalways can have access to your
money.
So if a bank's computers crashor get hacked, it's not just
(02:13):
annoying, that's going to be adisaster for a lot of people.
Now here's where it gets extrainteresting, right?
So since DORA is a Europeanrule, you might think it only
affects European countries,european companies.
But not too dissimilar at allfrom GDPR.
That arm is pretty large.
Europe is a significant part ofthe global economy, as much as
(02:34):
the global banking system, andso here's the scoop.
So, first off, in Europe, itaffects all banks, that's right,
all banks.
It affects all insurancecompanies.
It affects all banks, that'sright, all banks.
It affects all insurancecompanies, all investment firms
and any companies that providetechnology services to those
financial companies.
So if you provide technologyservices to a bank, an insurance
(03:06):
company, investment firm in theEU and it is part of that
critical infrastructure, thatmeans that door is going to
affect you as well.
It's interesting too, though,right?
So a little bit of a twist, itaffects a lot of American
companies in that way.
And so if you're an Americanbank with offices in Europe, yep
, those offices, they're goingto need a follow door.
If you're an American techcompany helping European banks
with their computer systems, gotit.
You gotta follow Dora too,right?
And so it's got a pretty widereach.
(03:28):
And the next obvious question iswell, what in the world do I
need to do to make sure I'mcompliant with Dora?
And there's?
This is very much just anintroduction to the topic, so
you know, for more detailedprescriptive information we'll
get into that in some futureepisodes We'll bring some guests
on.
We wanted to just get thattopic out there.
(03:48):
So there's really four mainrules that companies need to
follow.
The first one is you got tofind and fix your problems early
.
Pretty straightforward, right.
So prioritization of the issuesthat affect that operational
resilience of your systems Hell,even better if those systems
self-heal themselves, right,like great Problem found and
fixed all on its own.
(04:09):
You got to report thoseproblems quickly.
That's the second big rule.
So the first big rule is yougot to find and fix those
problems.
Second one is you got to reportthose problems quickly.
So if something goes wrong, youhave to tell the authorities
right away.
No keeping secrets.
A lot of times when breachesoccur, it could be weeks, it
could be months before thatinformation is shared while
they're doing air quotes.
(04:30):
Root cause analysis, right?
Well, when there's anoperational outage, when
something's out, that knowledgeis immediate, like everyone
knows it.
When a business gets hacked,everyone might not know it.
It might be weeks or monthsbefore you even knew that.
You know company A or B orwhatever.
It might only be when you getthat notice in the mail saying
hey, your data was leaked, thatyou even knew that that company
(04:52):
was hacked.
But when your bank is unable,when you aren't able to log into
it, everyone knows that.
So you've got to report rightaway what's going on, and no
more of this.
We'll tell you once we think weknow all the things right.
Third rule we covered this alittle bit already, but you've
got to make sure that yourpartners are safe.
(05:12):
So if your suppliers are partof your critical operations,
they're going to need to bechecked as well.
And then, number four, you'vegot to practice emergency plans.
Practice them.
I love that.
That's part of the regulation.
So, a, you're going to need abusiness continuity and disaster
recovery plan God forbid.
If you don't already have one,you're going to need one.
And B, you're not just going tohave to have it, you're going
(05:33):
to have to test it, just likefire drills at school, you're
going to have to practicehandling these emergencies.
You have to be prepared forwhen it happens.
It should go without sayingthat just having a response
playbook that you've never onceexercised is not going to serve
a lot of value if the first timeyou try to go through these
(05:55):
exercises is during a live fireexercise, during when it's
actually happening to you.
But here's some otherinteresting things, right?
So some American companies arechoosing to follow those rules,
even if they don't have to, evenif they're not within scope.
It might just be that theyrecognize the good hygiene for
what it is, which, quitehonestly, it literally is.
But let's be honest, we're notthat far off from these rules
(06:20):
hitting our shore in the exactsame way.
They are there and around us toa large degree, because
American banking infrastructurehas already been deemed critical
infrastructure, but we don'thave a federal regulation like
Dora.
It's not at the federal level,right?
You've got things like NYCR 500out of New York that has some
(06:40):
provisions around things likethis.
It's mostly focused on security, though, but again, I would
always argue that security beingthe combination of
confidentiality, integrity andavailability, that those types
of things should have alreadybeen codified into both what we
do and to the technologies webuild and into the rules that we
follow.
(07:02):
But companies might want tofollow DORA, if one.
If you want to work with otherEuropean companies someday, then
you're going to want to followDORA.
It's going to become similar toSOC 2 processes, where you have
to demonstrate your securitycapabilities.
You're going to have todemonstrate your resiliency
capabilities as well.
If you have partners andcustomers in Europe, yeah, you
(07:23):
might want to follow DORA.
If you just want to staycompetitive globally, you're
probably going to want to followDORA, even if you're outside of
Scud, right?
Or if, again, you're justsimply looking for good security
practice.
So DORA was officially adoptedback in November 2022.
I don't think we talked about itmuch on this show Maybe not at
all, if I'm being transparentand so it's been a couple of
(07:47):
years for folks to prepare butit goes into effect on January
17th 2025.
So not that long from now, andby that date, all entities
within scope of DORA, includingfinancial institutions and
critical third parties operatingin the EU, are going to have to
be fully compliant with itsrequirements.
Now, there it is.
(08:07):
There you have it, folks.
Dora might sound complicated,but it's really just about
making financial systemsunbreakable and, whether you're
in Europe, america or anywhereelse, these rules are really
going to help shape the futureof everyone's digital currency.
That's all for today's episodeof Privacy, please.
Please, remember to like,subscribe and share if you found
(08:27):
this helpful.
Until next time, gabe Gumbs.
Popular Podcasts
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com