Financial Services Cybersecurity: DORA, FCA, and Building a Compliant Defence Strategy

The DORA and FCA Landscape: Why Financial Services Are Under Pressure

The Financial Conduct Authority's introduction of the Digital Operational Resilience Act (DORA) represents the most significant shift in financial services regulation since MiFID II. Starting from late 2024 into 2025, DORA applies to all authorised UK financial institutions, from large investment firms to smaller intermediaries. The Act's focus is clear: boards and senior management are now directly responsible for cybersecurity resilience.

Unlike previous frameworks that treated cybersecurity as a technology problem, DORA treats it as a business resilience problem. Regulators expect boards to understand their attack surface, test their incident response capabilities, and maintain cyber insurance that covers realistic breach scenarios. Firms that cannot demonstrate these capabilities now face regulatory action, reputational damage, and liability cascades through their senior leadership.

The FCA's enforcement record shows this isn't theoretical. Recent fines for inadequate cybersecurity controls have exceeded £2 million per firm. The Authority is actively investigating firms' compliance readiness, and those without documented security frameworks are being flagged during routine examinations.

For financial services firms, the stakes are higher because your data isn't just valuable—it's personal and financial. A single breach doesn't just create operational problems; it triggers notification obligations, creates regulatory scrutiny, and can destroy client trust within weeks.

The Real Threats: What's Actually Targeting Financial Services

Financial services firms are experiencing a surge in targeted attacks. Ransomware groups have specialised teams tracking financial institutions, knowing that payment pressure and regulatory deadlines create urgency around ransom payments. Email-based attacks—specifically email impersonation and spoofing—remain the most frequent entry point.

These attacks typically follow a pattern. An attacker uses email spoofing to impersonate a trusted sender, often a board member, CFO, or external partner. The email directs a staff member to process a wire transfer, change a supplier bank account, or share access credentials. In financial services environments, where transaction volumes and staff turnover create natural verification blindspots, these attacks succeed at a rate 10x higher than other industries.

Once inside, attackers move laterally. They target Microsoft 365 misconfigurations—specifically shared mailboxes, Teams channels, and poor multi-factor authentication (MFA) deployment. A study of recent financial services incidents found that 7 of 10 breaches involved compromised M365 accounts where MFA wasn't enforced on sensitive mailboxes.

From there, they escalate to data exfiltration or ransomware deployment. The damage isn't limited to the data they steal; DORA now requires firms to notify the FCA of material security incidents within 24 hours, creating a regulatory disclosure deadline that turns a bad day into a board-level crisis.

Understanding DORA Compliance: The Four Pillars

DORA compliance rests on four core pillars. Understanding each one is essential for building a practical response.

Pillar 1: Governance and Risk Management

Senior management and boards must actively oversee cybersecurity strategy. DORA requires documented cybersecurity policies, regular board reporting on incident trends, and clear accountability for security failures. Regulators will examine board minutes, security reporting dashboards, and management decision logs. If your board can't articulate your firm's top three cyber risks in business terms, you're not compliant.

Pillar 2: Operational Resilience

Firms must identify critical business functions and ensure they can operate during and after a cyber incident. This requires understanding your dependencies: which systems are mission-critical, where does your data flow, and what happens if key suppliers go offline? Regulators expect your firm to have a documented recovery plan.

Pillar 3: Incident Detection and Response

DORA requires firms to detect and respond to incidents within defined timeframes. The FCA expects firms to have 24-hour incident response protocols, tested at least annually. Many firms only hire incident responders after a breach happens; by then, the FCA is already involved and the cost multiplies.

Pillar 4: Third-Party and Supply Chain Risk

Regulators now view your suppliers as regulatory extensions of your firm. If your managed IT provider fails to patch your systems, or your cybersecurity vendor stores your data insecurely, the FCA views your firm as liable. DORA requires firms to conduct vendor assessments, contractually mandate security standards, and audit supplier compliance regularly.

FCA Expectations: What Regulators Actually Look For

The FCA is now asking financial services firms specific questions during examinations. Understanding these questions helps you build targeted defences.

Question 1: How are you preventing email-based attacks?

The regulator expects evidence of DMARC, SPF, and DKIM implementations—technical controls that prevent domain spoofing. They also expect firms to have deployed security tools that flag suspicious emails, staff awareness training, and documented processes for reporting suspected phishing. The FCA will ask to see your phishing report dashboards, your remediation timelines, and evidence that suspicious emails are being blocked before they reach users.

Question 2: How are you enforcing multi-factor authentication?

The baseline expectation is that MFA is mandatory on all admin accounts and all accounts with access to sensitive data. But the FCA is increasingly asking about conditional access policies—rules that require additional verification when unusual access patterns are detected. Firms with only password + MFA are being treated as below-standard.

Question 3: Can you prove your backup strategy is working?

The regulator expects firms to have tested backup restoration to a known-good state at least annually. Many firms backup data but never test whether they can restore it. DORA specifically requires documented backup testing procedures, with evidence of successful restores. Regulators will ask to see your test plan, your test results, and your evidence of remediation if restoration failed.

Question 4: What does your cyber insurance cover, and have you tested claims?

Cyber insurance is increasingly viewed as a component of resilience, not a substitute for controls. The FCA is now asking firms to demonstrate that their cyber insurance covers realistic breach scenarios, including ransomware, data theft, and regulatory fines. Firms should ensure their policies cover breach notification costs, forensic investigation, and regulatory defence—not just data recovery.

The Three-Layer Defence Framework: A Practical Approach

Building DORA-compliant cybersecurity doesn't require enterprise-scale complexity. The following framework is practical for financial services firms of all sizes.

Layer 1: Prevention

This layer stops most attacks before they enter your environment. It includes email security (anti-spoofing, anti-malware, user-reported phishing tools), endpoint protection (modern anti-virus, behavioural monitoring), and network segmentation. Prevention is the highest-ROI investment: a £5,000 email security tool that stops 95% of attacks is far more cost-effective than incident response.

For financial services, implement DMARC policy in enforce mode, add real-time phishing detection, and enable user-friendly reporting tools. Staff should be able to report suspicious emails with a single click, and your security team should investigate flagged messages within 24 hours.

Layer 2: Detection

Even with strong prevention, some attacks will get through. Layer 2 ensures you detect them quickly. This includes endpoint detection and response (EDR) tools, security information and event management (SIEM) platforms, and active threat hunting. Detection isn't about having the most advanced tools; it's about monitoring the right signals and responding quickly.

For financial services, focus detection on M365 activity. Most financial services breaches involve compromised cloud accounts, unusual data access, or rapid email forwarding. A £2,000-per-month managed security service (SOC-lite model) can monitor these signals and alert your team within 30 minutes of suspicious activity.

Layer 3: Response and Recovery

When prevention and detection fail (and they will), Layer 3 minimizes damage. This includes incident response playbooks, forensic capabilities, backup and recovery systems, and crisis communication procedures. Layer 3 also covers regulatory notification and cyber insurance claims management.

For financial services, pre-arrange incident response support before you need it. DORA requires 24-hour incident response capability; firms without an existing contract will spend their first crisis week just finding a capable responder.

Implementation Roadmap: From Today to DORA Compliance

Month 1-2: Assessment

Conduct a gap analysis against DORA requirements. Map your current controls against each pillar. Identify vendor risk, test your backup restoration, and document your incident response procedures. Assign a single executive owner for DORA compliance.

Month 3-4: Prevention Focus

Deploy or upgrade email security. Implement conditional access in Microsoft 365. Enforce MFA on all privileged accounts. Run a phishing simulation to establish a baseline for staff awareness. Budget for staff training; staff without training click suspicious links at a rate 5x higher than trained staff.

Month 5-6: Detection and Response

Deploy endpoint detection and response (EDR) on critical systems. Engage a managed security service provider (SOC-lite model) to monitor logs and alert on suspicious activity. Arrange incident response support. Test your incident response playbook with a tabletop exercise.

Month 7+: Operationalization

Establish ongoing vendor risk management. Implement quarterly backup restoration testing. Run annual incident response exercises. Brief your board quarterly on cyber risk metrics. Document everything—regulators want evidence of active governance.

Common Compliance Failures: What Regulators See

The FCA has flagged recurring compliance gaps in financial services firms.

Failure 1: Cyber insurance without controls

Firms assume cyber insurance is their compliance strategy. It isn't. Insurance covers financial losses; it doesn't satisfy DORA's control requirements. Controls must come first; insurance is a secondary layer.

Failure 2: MFA without enforcement

Many firms deploy MFA but make it optional or allow workarounds. DORA expects MFA to be mandated and audited. Regulators will review your conditional access logs to verify that MFA is actually being enforced.

Failure 3: Backup without testing

Firms believe they're protected because backups are running, but they've never validated that backups can be restored. Documented backup testing is now a regulatory expectation. Many firms are being warned to add quarterly restoration testing to their compliance calendars.

Failure 4: Scattered responsibilities

Cybersecurity ownership is unclear. DORA requires clear accountability. Designate a Chief Information Security Officer (internal or external), give them explicit board reporting authority, and measure their performance quarterly.

Board and Senior Management: Your New Liability

DORA shifts cybersecurity accountability to the boardroom. Senior managers and board members now face personal liability for security failures. Cybersecurity must be a standing board agenda item, not an annual checkbox.

Boards should be reporting on three metrics quarterly: (1) the number of security incidents and their severity, (2) the percentage of staff who have completed security training, and (3) the status of critical remediation items from the most recent penetration test or audit.

Financial services boards are also increasingly asking third-party providers to validate their compliance. Engaging an external audit firm to validate your DORA compliance provides evidence of active governance and identifies gaps before regulators do.

The Path Forward

DORA and FCA compliance represent a genuine shift in how financial services manage cybersecurity. The framework moves from "security as IT" to "security as business resilience." For firms that adapt quickly, this creates a competitive advantage.

The good news is that compliance is achievable. A well-resourced financial services firm can move from partial compliance to full DORA compliance in 6-9 months. Firms without dedicated security resources can achieve compliance by engaging managed security providers and external consultants.

The alternative—waiting for a breach to force compliance—is vastly more expensive. A typical financial services data breach now costs £1.5-£2 million in remediation, regulatory fines, and reputational recovery. DORA compliance, by contrast, costs £50,000-£150,000 per year depending on firm size and complexity.

Your board should be asking: Which investment makes sense for our firm?

‍