New European Union legislation took effect this month that is designed to make financial institutions – including wealth managers – raise their cybersecurity and overall financial resilience. Failure to shape up will incur fines. Even firms in North America could be potentially affected, depending on specific circumstances.

If there was a reminder that operational resilience in technology is important, the Microsoft/CrowdStrike outage that closed flights and payment systems worldwide last summer was a stark example.

And with cybersecurity attacks and breaches becoming a regular occurrence, banks, wealth managers and family offices realize that they can be hit by ransomware attacks from domestic and foreign sources. Throw in outages and glitches that are, perhaps, inevitable features when fallible human beings are involved as well as malevolent actors, and there's going to be trouble.

In Europe, the regulatory stakes have risen with the Digital Operational Resilience Act (DORA), taking effect from January 17. Failure to comply will result in fines.

DORA is designed to bring about best practice in the financial industry for dealing with cybersecurity and operational resilience, and it will impose fines on organizations deemed not to be compliant. Central banks such as the Bank of England and Bank of Ireland, among others, have already guided banks and financial organizations about this. 

Under DORA, financial penalties can be up to 2 per cent of a company's total annual turnover or 1 per cent of their average daily turnover. Critical third-party ICT providers can be fined up to €5 million ($5.2 million) for companies or €500,000 for individuals. DORA takes precedence over any other EU cybersecurity law for those organizations to which it applies. As a result, financial organizations are likely to face tougher cybersecurity requirements than other sectors in the EU. Even firms outside the 27-member EU bloc that work with organizations in the Union fall under the legislation. In a sense, it is similar in scope and impact to the GDPR data protection rules that came into force in May 2018.

“In the past 20 years financial institutes of all types have become nearly completely reliant on technology for the services they provide. Their greatest risk to life beyond the market forces is a breach or major outage. Governments across the world know how critical their financial institutes are to stability and DORA [EU legislation] is about catching up with that,” Joe Boyle, CEO at Salt Secure Communications, told this publication. 

While the DORA rules took effect from last Friday, it is unlikely that non-compliant firms will be immediately fined; regulators will probably issue reports and warnings first, Boyle said. “DORA is important for wealth management as well as all financial institutions because there are real consequences for not being compliant.” 

Boyle’s firm, he said, “sees itself as a modern incarnation of the secure, controlled and compliant capabilities of the Blackberry messaging services with additional security capabilities such as secure broadcast and measures to prevent sensitive data exfiltration.”

“Crucially we do not come under full control of the Microsoft Active Directory, which means that it cannot be compromised or controlled when a bad actor hacks the corporate Microsoft environment,” he said. 

“We [at Salt] are dealing with firms that are preparing for the worst and we provide a safe-haven network. In many wargaming scenarios the first thing the executive team are faced with is ‘All of your internal systems are down and you have no way to communicate. What are you going to do now?’ That’s where Salt comes in,” Boyle said.

Salt gives firms a “closed room” form of technology communications channel that is not connected to a firm’s regular comms so that people can share data even if there has been an attack and problem, Boyle said. “We speak to people to ask what to do if there is a major outage.”

Cybersecurity attacks and other problems give such offerings traction. 

A report in March 2024 from US-headquartered Broadridge Financial Solutions showed that over the next two years, financial institutions plan to boost their investments in cybersecurity by 28 per cent on average; impacting their internal security protocols, and the way in which they engage with third-party technology vendors.

According to the study, cybersecurity is the top capability executives say they expect from their technology vendors, outpacing their ability to deliver projects on time and on budget, and building next-generation technologies into their solutions. In the US, new Securities and Exchange Commission rules came into force in 2023 forcing listed companies to report their cyberattacks to core stakeholders, such as investors, customers, and regulators. By far the most common type of breach or attack is phishing (84 per cent of businesses and 83 per cent of charities).

“DORA will impose stricter requirements and also encourage resiliency in organizations, which will hopefully address the issues of securing insurance,” Alasdair Anderson, vice president of EMEA at Protegrity, said in a note. Protegrity is a data protection business based in the US. (See an article from that firm here.)

“The positive consequence of this growing regulatory landscape is a shift toward outcome-based compliance, as current regulations are seen to focus on ticking boxes. This will ultimately lead to enhanced data security within sectors, and mitigated risk of major consequences from continuously scaling cyber attacks,” Anderson said. “We will also see more regulations coming out that haven’t yet been predicted.

"Companies should treat these regulations as the minimum requirement that guides the usage of technology and look to build on these requirements. Maximizing cybersecurity investments isn’t just about protection – it’s about creating a positive, trust-driven experience for customers in the long term. Security should go beyond compliance, ensuring that every interaction leaves customers feeling safe and confident.”

Cybersecurity remains a top wealth sector concern, as highlighted in the Twelfth Edition of the WealthBriefing Tech and Ops Trends in Wealth Management 2024 report.

Blackberry model
Salt’s Boyle has fond memories of the Blackberry devices that were once a ubiquitous tool for people in IT, finance and business before the advent of iPhones and other smartphone brands.

The Blackberry had solid end-to-end proprietary security that a firm issuing one of these devices could embed, with varying levels of access between junior and more senior staff, Boyle said. He noted how regulators such as the Securities and Exchange Commission in the US have fined banks/others for what it sees as inappropriate use of messaging apps such as WhatsApp, etc.

“Blackbrerry had what was a completely closed network; organizations loved them,” Boyle said, who recalled how he still used his Blackberry Bold in 2012.

With DORA, even businesses located outside the EU (such as a firm working with an EU-domiciled bank) is affected by its provisions. For example, organizations based in the Middle East are “taking DORA very seriously as they are very keen on tracking best practice across the globe to maintain and grow their highly competitive position,” Boyle said. 

“The best way to think about it is in terms of risks and potential impacts to the business within the supply chain. If you have a supplier who is critical to the delivery of your services and has access to key information or services then they too are required to demonstrate compliance regardless of where they are in the world,” Boyle said.  

Along with DORA, there is the NIS2 Directive, EU-wide legislation on cybersecurity. It provides legal measures for boosting the overall level of cybersecurity in the EU. The EU cybersecurity rules introduced in 2016 were updated by the NIS2 Directive which came into force in 2023. It updates older rules and expands the scope.

The Microsoft/Crowdstrike outage of 2024 was a necessary wake-up call, Boyle said.

“These developments have been crucial in driving awareness within the executive suites of major organizations about the potential impact of breaches and major unplanned outages,”

Boyle said. “Risk teams are being allocated significantly more budget and there has been a fundamental mind shift in more aware organizations to prepare for a crisis 'when it happens' instead of 'in case it happens’. It’s daunting but liberating as they are very focused on preparedness.”

Salt clients include law firm Mishcon de Reya; BAE Systems, a defense sector manufacturer; and Nihon Cyber, a Japan-based cybersecurity firm. Salt, which is headquartered in Belfast, operates in 52 countries, covering sectors from finance to defence, military and policing.

“Our high security clients have a very good understanding of advanced nation state threats and have a very clear understanding of what they need when it comes to communications: a system which they run and control, which once deployed is not accessible even by Salt. That’s their 'warm and fuzzy' reassurance,” Boyle said.