In the first part of this blog series, we looked at the relevance of EU’s DORA regulation and how it can impact cybersecurity in financial institutions (FIs) operating in the EU.

In this installment, let’s discuss the following:

• Role of synthetic data in DORA regulations – and why it matters for FIs.
• How FIs can successfully implement DORA compliance.
• Common questions that business leaders have about DORA.

Why synthetic data matters more than ever for financial institutions

FIs have always exercised caution when it comes to exploiting data analytics for their benefit. This is because of concerns about exposing sensitive data and compliance-related failures. The emergence of synthetic data has changed this paradigm.

Simply defined, synthetic data is the fabrication of real-world data (with its statistical properties) without compromising data privacy. In the financial domain, synthetic data has a variety of use cases such as:

• Fraud detection and prevention
• Modelling of credit risk
• Personalized services
• Compliance testing

Synthetic data has enabled FIs to comply with industry regulations like GDPR, SOC-2, and SOX. How can synthetic data enable FIs to comply with DORA? Synthetic data can train Generative AI models to perform tasks that can improve cybersecurity and risk management.

Here are 4 areas in the financial sector where Generative AI and synthetic data can be deployed:

1. Cybersecurity
   GenAI models can identify patterns in synthetic datasets that indicate vulnerabilities or a potential threat. Besides, GenAI-powered systems can monitor network traffic to detect any suspicious anomalies. This enables FIs to adopt a proactive approach to any ICT-related risks and respond immediately to prevent any operational disruption.

2. Risk assessment

   GenAI models can perform effective risk assessment for FIs. For example, AI algorithms can help in:

   • Simulating a potential cyberattack.
   • Modeling the security impact.
   • Devising a robust incidence response strategy.

   With GenAI’s predictive capabilities, FIs can predict potential risks and improve their operational resilience in line with DORA regulations.

3. Incidence reporting

   GenAI models can also improve incidence reporting in compliance with DORA. FIs can automatically generate ICT-related incident reports, which also detail:

   • Assessing the security impact.
   • Identifying any security flaws or vulnerabilities.
   • Recommending corrective measures.

   With AI-generated reports, FIs can ensure transparency for human auditors or regulators. This is aligned with DORA’s governance requirements, which stress risk management and resilience.

Among other benefits, synthetic data enables safety testing for cybersecurity. With a synthetic test data generation tool like Kingfisher, financial application testers can generate synthetic data to test their AI-powered applications for quality.

Next, let’s discuss how financial institutions can effectively strategize their DORA implementation.

Strategic moves for successful DORA implementation

What are the best strategies for FIs to implement DORA effectively? The first step is to formulate an operational resilience strategy in alignment with their business strategy. This involves integrating operational resilience right at the core of their business strategy – instead of as an afterthought.

Under the DORA stipulations, FIs must also appoint a management body responsible for:

• Monitoring any risks related to digital operational resilience.
• Ensuring compliance with DORA’s obligations at all times.
• Overseeing all ICT-related policies and procedures to perform their DORA-related obligations.

As part of this management body, companies must select a DORA responsibility officer to watch over their DORA compliance. Depending on the scale and complexity of their business operations, this role can be assigned to a serving compliance officer or a chief risk officer. It’s also recommended to train this responsibility officer to perform DORA-related tasks. Besides the officer, employees must also undergo an annual training program on DORA regulations.

As part of DORA’s regulatory norms, companies must regularly review their ICT risk
management frameworks and implement the following action points:

• Implement data security policies.
• Govern the ICT functions by assigning the right roles and responsibilities.
• Oversee the implementation of an ICT business continuity and disaster recovery plan.
• Allocate sufficient resources to meet their DORA obligations.
• Review and approve regular ICT audits.

Last but not least, it’s recommended that companies leverage the RACI matrix tool, which stands for:

• Responsible – Who is responsible for which action?
• Accountable – Who is ultimately accountable for DORA implementation?
• Consulted – Who needs to be consulted?
• Informed – Who needs to be informed?

Now, let’s answer some common DORA-related questions asked by business leaders.

Top 8 questions business leaders should ask about DORA

Here are the top 8 questions that business leaders ask about DORA:

1. Who is responsible for DORA compliance in our organization?
   The management body (or board of directors) that runs the enterprise is responsible for DORA compliance.

2. How do we assess and manage third-party risks under DORA?
   Third-party risk management is challenging but achievable through:

   • Identifying every entity in the company’s supply chain and third-party services.
   • Monitoring threats by extending them to third-party companies.

3. What is the role of synthetic data in DORA compliance?
   Synthetic data has an important role in DORA compliance by providing fabricated data for testing AI-powered models used for monitoring DORA requirements.

4. How do we ensure our business continuity plans are up to DORA standards?
   To meet DORA standards, financial firms must regularly review and update their business continuity plans to include new threats or risks. Additionally, they must test their plans annually or following any serious incident or any change to their ICT infrastructure.

5. What are the penalties for non-compliance?
   Non-compliance with DORA regulations can attract a penalty of up to €10 million – or 5% of the annual turnover.

6. How can we align DORA with our existing cybersecurity measures?
   Foremost, companies must perform a complete gap analysis to identify functional areas where they’re falling short in cybersecurity. This can help them generate an action plan to close those gaps and attain resilience.

7. What resources should we allocate to DORA compliance?
   DORA specifies that FIs must allocate sufficient resources and capabilities to meet its compliance requirements. Apart from a sufficient budget, companies can allocate non-financial resources in the form of the latest technology tools and data management.

8. How can we prepare for an ICT incident under DORA?
   To prepare for an ICT incident, organizations must integrate threat detection & analysis tools, which can detect any incident and report it to the supervisory authorities on time.

Conclusion

Regulations like DORA are an essential part of any financial institution. With the availability of synthetic data, FIs can test and validate the effectiveness and accuracy of their AI-powered financial models.

As a trusted cloud partner for Google Cloud, Onix can help kickstart your DORA transition. Our Kingfisher can help generate synthetic data from code, thus ensuring high-quality and complete data for your AI models.

Contact our experts to learn more about synthetic data and our Kingfisher tool.