New cybersecurity laws ‘could double’ number of reported breaches

Financial institutions face a new suite of rules and and requirements when EU law takes effect next year, Compliance Institute says

The EU Digital Operational Resilience Act comes into effect in January
The EU Digital Operational Resilience Act comes into effect in January

The volume of reported data breaches and cybercrime incidents is “very likely” to at least double when new European Union laws surrounding cybersecurity come into effect next year, according to the Compliance Institute.

Financial services firms across Europe are facing a significant step up in standards when it comes to their ability to continue operations in the wake of a major ICT incident or cybersecurity breach.

The EU Digital Operational Resilience Act (Dora), which comes into effect in January, sets out a range of new rules for financial institutions to follow regarding their protection, detection, containment, recovery and response capabilities for ICT-related incidents.

It also puts in place new requirements for ICT risk management, incident reporting, resilience testing and ICT third-party risk management.

READ MORE

The Compliance Institute, which is the professional body for compliance professionals and which has more than 3,700 members, said several factors including increased reporting obligations and enhanced detection and resources could lead to a major spike in reported incidents.

The Data Protection Commissioner received 6,991 breach notifications last year, which represented a 20 per cent increase on 2022.

Compliance Institute chief executive Michael Kavanagh said that just six months out from the introduction of the new rules, “many organisations have a long way to go before they will be ready for this”.

“Banks, credit unions and a raft of other financial institutions will need to significantly step things up a gear to ensure full compliance once January 17th rolls around,” he said.

Mr Kavanagh said the new laws were drafted in response to the growing cyber risks targeting the world’s financial networks.

“The threats facing banks and financial institutions are evident everywhere,” he said. “The recent Crowdstrike outage serving as a stark warning of the potential risks organisations face.

“Presuming those organisations impacted are compliant with the new legislation then it’s reasonable to expect that there will be a significant increase in the number of incidents flagged with the Data Protection Commissioner and possibly other supervisory bodies.

“There is, of course, precedence for this likely uptick in reporting. For example, data from various supervisory authorities across the EU indicates a marked increase in the number of reported data breaches since GDPR came into effect.”

Ireland faces far greater cyberattack risk over next two years, security centre warnsOpens in new window ]

The Compliance Institute asked about 230 compliance professionals in financial services organisations about their experiences last year and found that more than half believe data-protection rules had been breached in their organisation at one time or another.

An even greater number (62 per cent) acknowledged being aware of such breaches in organisations they previously worked for.

When asked about factors contributing to the underreporting of data-protection breaches, nearly half (48 per cent) of those surveyed said businesses do not intentionally neglect to report breaches.

However, 46 per cent said concerns about potential damage to brand reputation might lead organisations to keep such violations confidential.

“Our research highlights the critical need for heightened awareness and preparedness,” said Mr Kavanagh. “However, this will come with a host of challenges.

“Organisations must understand and navigate complex regulatory requirements, manage financial and human-resource constraints, and upgrade legacy systems to meet stringent cybersecurity standards.

“Additionally, managing third-party risks and ensuring supply-chain compliance adds further complexity.”

Colin Gleeson

Colin Gleeson

Colin Gleeson is an Irish Times reporter