Digital operational resilience: a challenge for a growing number of companies
The pivotal role of IT systems
Operational resilience, today hand in glove with IT systems, is no longer just an internal company issue. For utilities, banks, airports, hospitals, and other companies that manage utilities, an accidental or malicious shutdown of services is not only a cause of economic losses but can create far-reaching chain damage to a country’s economy and people’s lives. The European legislator has become aware of this and, after the numerous disasters caused by cybercrime, is taking care of regulating the commitment to protect systems and data. It is similar to what has already been done in the past on the issues of food safety, road traffic and others of public significance. The most recent measures are targeting the operational resilience of the banking/financial sector to protect payment and credit systems. Many observers are therefore certain that similar rules could affect other business areas in the future. That is why it is fundamental to talk about digital operational resilience.
DORA: the European Regulation protecting digital operation resilience
The Digital Operational Resilience Act (DORA) has been in force since January, The new European regulation which, together with NIS 2 and the updates to Bank of Italy circular 285, imposes a more solid management of issues concerning ICT resilience and cybersecurity. Beyond banks and large financial institutions, the regulations also affect smaller realities: trading companies, stock exchanges, insurance companies, social security companies, decentralized finance companies (cryptocurrencies), and the supply chains of their suppliers. DORA imposes an expansion of the operational risk management perimeter to the third parties with whom it works, as well as greater transparency.
Digital resilience requires testing
To be compliant, affected organizations must test their systems based on real threats, identify and implement measures to improve defenses, and ensure resilience. They must also make plans in the event of a cyber-attack and put in place processes which, as in the case of the GDPR, provide for accountability in reporting incidents. Compliance with the new rules imposes a general health check on data center resilience, starting with data backup and business continuity supports whose recovery time and recovery point objectives (RTO and RPO) performance are often inadequate to the new needs. In addition to the consultancy, planning, and implementation skills for interventions on security infrastructures, networking, and data center systems, BinHexS can prepare effective solutions for data protection, disaster recovery and to provide managed services, in line with the business needs and available budgets.