How DORA Could Change The Way We View Cybersecurity
Hoptroff is a global, secure, and resilient IEEE1588 precision time protocol and a PTP/NTP time synchronisation service application, and distributor of timing services.
For those less familiar, IEEE1588 is a precision time protocol synchronising clocks in networked systems. Its main purpose is to provide highly accurate time synchronisation between devices connected over Ethernet networks. NTP is suitable for general-purpose time synchronisation needs with millisecond precision, while PTP is designed for high-precision applications requiring sub-microsecond accuracy. IEEE1588 is commonly found in various applications where precise time synchronisation is crucial, such as industrial automation, telecommunications, power systems, and financial trading networks. It's essentially a backbone for ensuring that devices across a network can operate in perfect time coordination.
In this article, Richard Hoptroff, Founder and Chief Time Officer, discusses the importance of accurate time synchronisation, particularly in the context of financial services and cybersecurity.
Hoptroff says: "The financial world has seen operational resilience rise to the top of the agenda over the past few years, and we partly have DORA to thank for that. Although the issue predates it, the Digital Operational Resilience Act (and its looming compliance deadline of January 2025) has brought some much-needed urgency to the operational resilience conversation."
"In finance, as in many parts of our lives, we are all digital now. The sector relies more and more on the strength of its technological infrastructure; institutions need to be able to prevent ICT incidents, and when they do happen, recover quickly with minimal disruption for customers or partners."
What could be learnt from DORA?
Accurate timing systems complement the more traditional tools of cybersecurity. Hoptroff says, "DORA’s scope extends beyond time, but its requirements clearly involve it. Thanks to new incident reporting and risk management obligations, financial institutions will have to maintain certain (very high) standards of time synchronisation, timing data and process documentation, and resilient timing that’s resistant to cyber attacks."
Numerous high-profile cyber attacks have exploited vulnerabilities in time synchronisation by sending malicious time information. Notable examples include the breach of the bitcoin exchange Mt. Gox and a cyberattack on the Ukrainian power grid.
Attacks like these are made possible by vulnerable timing systems.
"Time is the hidden currency of the financial world," says Hoptfroff, "and DORA has woken the sector up to the fact that synchronisation is a key pillar of cyber resilience. But even though we all recognise the Act’s importance, meeting its timing requirements is not without challenges, particularly for smaller institutions."
DORA's elevated standards require more frequent testing, comprehensive risk assessments, and detailed reporting. This significantly increases the demand for resources, which can be particularly challenging for smaller institutions that often have limited resources to meet these requirements.
"What I suggest is that across the industry, we find practical, fair-minded initiatives to level the playing field for all institutions affected by DORA," says Hoptroff. "A few that come to mind include knowledge-sharing hubs to allow cooperation, targeted subsidies for smaller institutions to ease the burden of compliance, and service-based models for key security tools, including smart timing."
"To businesses interested in regulatory compliance primarily for the competitive advantage it brings, these changes might not seem pressing. But adopting them would be in the spirit of DORA. Knowledge-sharing is already encouraged (if not formally required) by the Act, with emphasis placed on participation in voluntary threat-sharing arrangements. And by uniting a fragmented EU regulatory landscape, DORA already encourages cross-border collaboration by bringing everyone onto the same page."
Hoptroff continues: "DORA is not only a list of regulatory requirements, it is also a starting point for a shift towards a widespread culture of operational resilience, which prioritises practical, cooperative solutions."
Redefining Cybersecurity Challenges Across Sectors
Time must be considered an important utility for businesses. "At Hoptroff we’ve always set our sights on providing low-cost and easy-to-incorporate solutions, so that businesses have a model that they can rely on for accuracy and accountability. Both are vital parts of DORA."
"But synchronising digital systems at scale, to the level of accuracy required by DORA, is difficult and requires specialist knowledge and hardware. Rather than leaving each institution to its own devices (as it were), under this model time becomes a utility to subscribe to. I believe that accessing accurate time should be like switching on a light – and we don’t expect institutions to run their own power stations and electricity grids!"
A coordinated effort across the industry to adopt innovative measures is needed for a culture of operational resilience to become ingrained. The ‘time as a service’ model frees institutions from individual responsibility for their time and promotes shared infrastructure as the answer instead.
"Of course, finance is not the only sector that relies on data integrity for security – and time is not the only kind of data that institutions have to handle. If you ask me, this model will redefine how institutions both within and beyond financial services approach cybersecurity challenges. In a world continuously being reshaped by technology and hyper-connectivity, we must all find ways to clear the path towards security."
InsurTech vulnerabilities and the value of time
Data Integrity and Timestamping: In insurance, accurate timestamps are crucial for determining the sequence of events in claims processing, policy issuance, and other transactions. IEEE 1588 ensures precise time synchronisation across devices, which can enhance the integrity of data and the audit trail. This is particularly important in scenarios where the timing of events impacts liability or coverage.
Fraud Detection and Prevention: Insurers use various data sources and analytics to detect fraudulent activities. Precise time synchronisation can help in correlating events across different systems and detecting anomalies that may indicate fraudulent behavior. For instance, it can help in identifying instances of claim fraud by ensuring that the timing of events aligns logically.
Regulatory Compliance: Regulatory requirements often mandate accurate timestamping and record-keeping in insurance transactions. Compliance with these regulations is essential for avoiding penalties and maintaining trust with customers. Compliance can be facilitated by providing a standardised approach to time synchronisation, making it easier for insurers to demonstrate adherence to regulatory requirements.
Operational Efficiency: In the realm of insurtech, where technology plays a significant role in streamlining processes and improving efficiency, precise time synchronisation can be invaluable. It ensures that various systems and devices across the insurance ecosystem are operating in sync, reducing errors, delays, and inefficiencies in data processing and communication.
Smart Contracts and Blockchain: Some insurtech applications leverage blockchain technology and smart contracts for automating insurance processes and enhancing transparency. Synchronisation can support these applications by providing accurate timestamps for transactions recorded on the blockchain. This ensures that the execution of smart contracts and the validation of transactions occur with precision.
**************
Make sure you check out the latest industry news and insights at InsurTech Digital and also sign up to our global conference series - FinTech LIVE 2024
**************
InsurTech Digital is a BizClik brand
**************