Tough new EU cyber rules require banks to ramp up security — but many aren’t ready
Traffic_analyzer | Digitalvision Vectors | Getty Images
Tough new European Union regulations requiring banks to bolster their cybersecurity systems officially come into effect Friday — but many of the bloc’s financial services firms aren’t yet in full compliance with the rules.
The EU’s Digital Operational Resilience Act, or DORA, requires both financial services firms and their technology suppliers to strengthen their IT systems to ensure the industry is resilient in the event of a cyberattack or any other forms of disruption. It entered into effect on Jan. 17.
The penalties for breaches of the new legislation can be substantial. Financial services firms that fall foul of the new rules can face fines of up to 2% of annual global revenue. Individual managers could also be held liable for breaches and face sanctions of as much as 1 million euros ($1 million).
So far, the rate of compliance among financial services firms with the new rules has been mixed, according to Harvey Jang, chief privacy officer and deputy general counsel at IT giant Cisco.
“I think we’ve seen a mixed bag,” Jang told CNBC in an interview. “Of course, the more mature-stage companies are further along looking at this for at least a year — if not longer.”
“We’re really trying to build this compliance program, but it’s so complex. I think that’s the challenge. We saw this too with GDPR and other broad legislation that is subject to interpretation — what does it actually mean to comply? It means different things to different people,” he said.
This lack of a common understanding of what qualifies as robust compliance with DORA has in turn led many institutions to ramp up security standards to the level that they’re actually surpassing the “baseline” of what’s expected of most firms, Jang added.
Are financial institutions ready?
Under DORA, financial firms will be required to undertake rigorous IT risk and incident management, classification and reporting, operational resilience testing, intelligence sharing on cyber threats and vulnerabilities, and measures to manage third-party risks.
Firms will be also be required to conduct assessments of “concentration risk” related to the outsourcing of critical or important operational functions to external companies.
A Censuswide survey of 200 U.K. chief information security officers commissioned by Orange Cyberdefense, the cybersecurity division of French telecoms firm Orange, showed that 43% of financial institutions in Britain aren’t yet in full compliance with DORA.
That’s a concern because, even though the U.K. falls outside the European Union now, DORA applies to all financial entities operating within EU jurisdictions — even if they’re based outside the bloc.
“Whilst it is clear that DORA has no legal reach in the U.K., entities based here and operating or providing services to entities in the EU will be subject to the regulation,” Richard Lindsay, principal advisory consultant at Orange Cyberdefense, told CNBC.
He added that the main challenge for many financial institutions when it comes to achieving DORA compliance has been managing their critical third-party IT providers.
“Financial institutions operate within a multi-layered and hugely complex digital ecosystem,” Lindsay said. “Tracking and ensuring that all parts of this system evidentially comply with the relevant elements of DORA will require a new mindset, solutions and resources.”
Banks are also adding higher levels of scrutiny in their contract negotiations with tech suppliers due to DORA’s strict requirements, Jang said.
The Cisco chief privacy officer told CNBC that he thinks there is alignment when it comes to the principles and the spirit of the law. However, he added, “any legislation is a product of compromise and so, as they get more prescriptive, then it becomes challenging.”
“The principles we agree with, but any legislation is a product of compromise, and so as as they get more prescriptive, then it becomes challenging.”
Still, despite the challenges, the broad expectation among experts is that it won’t be long until banks and other financial institutions achieve compliance.
“Banks in Europe already comply with significant regulations which cover the majority of the areas that fall under DORA,” Fabio Colombo, EMEA financial services security lead at Accenture, told CNBC.
“As a result, financial services institutions already have mature governance and compliance capabilities in place, with existing incident reporting processes and solid ICT risk frameworks.”
Risks for IT suppliers
IT providers can also be fined under DORA. The rules threaten levies of as much as 1% of average daily worldwide revenue for up to six months.
“These sanctions are necessary,” Brian Fox, chief technology officer of software supply chain management firm Sonatype, told CNBC. “They are a powerful motivator, pushing leaders to take compliance and operational resilience more seriously than ever.”
Orange Cyberdefense’s Lindsay said there’s a risk longer term that financial services firms end up moving their critical security functions and services in-house.
“Advances in technology may allow financial institutions to move services back in-house, simplifying this aspect and reducing the risk of non-compliance,” he said.
“Either way, existing contracts will need to be updated to ensure compliance is contractually mandated and monitored between entity and provider,” Lindsay added.
Meanwhile, there are several other cybersecurity-focused regulations that organizations will have to come to terms, such as the Network and Information Security Directive 2, or NIS 2, and the Cyber Resilient Act. The former entered into force in October.
“As with any new regulation, there will certainly be a transitionary period as organisations adjust to new requirements and standards,” Sonatype’s Fox told CNBC. “This is the start of a long journey toward improving software security and resilience.”
Technology
OpenAI’s Sora 2 must stop allowing copyright infringement, Motion Picture Association says
Cfoto | Future Publishing | Getty Images
The Motion Picture Association on Monday urged OpenAI to “take immediate and decisive action” against its new video creation model Sora 2, which is being used to produce content that it says is infringing on copyrighted media.
Following the Sora app’s rollout last week, users have been swarming the platform with AI-generated clips featuring characters from popular shows and brands.
“Since Sora 2’s release, videos that infringe our members’ films, shows, and characters have proliferated on OpenAI’s service and across social media,” MPA CEO Charles Rivkin said in a statement.
OpenAI CEO Sam Altman clarified in a blog post that the company will give rightsholders “more granular control” over how their characters are used.
But Rivkin said that OpenAI “must acknowledge it remains their responsibility – not rightsholders’ – to prevent infringement on the Sora 2 service,” and that “well-established copyright law safeguards the rights of creators and applies here.”
OpenAI did not respond to a request for comment.
Concerns erupted immediately after Sora videos were created last week featuring everything from James Bond playing poker with Altman to body cam footage of cartoon character Mario evading the police.
Although OpenAI previously held an opt-out system, which placed the burden on studios to request that characters not appear on Sora, Altman’s follow-up blog post said the platform was changing to an opt-in model, suggesting that Sora would not allow the usage of copyrighted characters without permission.
However, Altman noted that the company may not be able to prevent all IP from being misused.
“There may be some edge cases of generations that get through that shouldn’t, and getting our stack to work well will take some iteration,” Altman wrote.
Copyright concerns have emerged as a major issue during the generative AI boom.
Disney and Universal sued AI image creator Midjourney in June, alleging that the company used and distributed AI-generated characters from their films and disregarded requests to stop. Disney also sent a cease-and-desist letter to AI startup Character.AI in September, warning the company to stop using its copyrighted characters without authorization.
Thoma Bravo co-founder Orlando Bravo said that valuations for artificial intelligence companies are “at a bubble,” comparing it to the dotcom era.
But one key difference in the market now, he said, is that large companies with “healthy balance sheets” are financing AI businesses.
Bravo’s private equity firm boasts more than $181 billion in assets under management as of June, and focuses on buying and selling enterprise tech companies, with a significant chunk of its portfolio invested in cybersecurity.
Bravo told CNBC’s “Squawk on the Street” on Tuesday that investors can’t value a $50 million annual recurring revenue company at $10 billion.
“That company is going to have to produce a billion dollars in free cash flow to double an investor’s money, ultimately,” he said. “Even if the product is right, even if the market’s right, that’s a tall order, managerially.”
OpenAI recently finalized a secondary share sale that would value the ChatGPT-maker at $500 billion. The company is projected to make $13 billion in revenue for 2025.
Nvidia recently said it would invest up to $100 billion in OpenAI, in part, to help the ChatGPT maker lease its chips and build out supercomputing facilities in the coming years.
Other public companies have soared on AI promises, with Palantir’s market cap climbing to $437 billion, putting it among the 20 most valuable publicly traded companies in the U.S., and AppLovin now worth $213 billion.
Even early-stage valuations are massive in AI, with Thinking Machines Lab notching a $12 billion valuation on a $2 billion seed round.
Despite the inflated numbers, Bravo emphasized that there’s a “big difference” between the dotcom collapse and the current landscape of AI.
“Now you have some really big companies and some big balance sheets and healthy balance sheets financing this activity, which is different than what happened roughly 25 years ago,” he said.
Oracle stock slipped 5% on Tuesday after a report from The Information that raised questions about the company’s plans to buy billions of Nvidia chips to rent as a cloud provider to clients like OpenAI.
Oracle had 14% gross margins on $900 million in sales in its Nvidia cloud business in the three months ending in August, according to the report, which cited internal documents. That’s significantly lower than Oracle’s overall gross margin of around 70%.
The report said that Oracle’s recent transformation into one of the most important cloud and artificial intelligence companies may run into profitability challenges because of how expensive Nvidia chips are and aggressive pricing on its AI chip rentals.
In September, Oracle said that its backlog of cloud contracts, which it called remaining performance obligations, had jumped 359% in a year. It forecasted $144 billion in cloud infrastructure revenue in 2030, up from just over $10 billion in 2025.
Much of that forecasted revenue is from Oracle’s role in the Stargate project, in which the enterprise vendor is working with OpenAI to open five massive data centers filled with AI chips from Nvidia.
Year-to-date stock chart for Oracle.
-
Sports3 years ago‘Storybook stuff’: Inside the night Bryce Harper sent the Phillies to the World Series
-
Sports2 years agoStory injured on diving stop, exits Red Sox game
-
Sports2 years agoGame 1 of WS least-watched in recorded history
-
Sports3 years agoButton battles heat exhaustion in NASCAR debut
-
Sports3 years agoMLB Rank 2023: Ranking baseball’s top 100 players
-
Sports4 years ago
Team Europe easily wins 4th straight Laver Cup
-
Environment2 years agoJapan and South Korea have a lot at stake in a free and open South China Sea
-
Environment1 year agoHere are the best electric bikes you can buy at every price level in October 2024