The growing role of time in cybersecurity compliance

New technological possibilities have brought innovation to several industries at a faster pace than ever before. But our growing dependence on this technology brings with it an increased level of cyber risk, which, over the past few years, has had a secondary effect: new cybersecurity legislation designed to control it. 

These new regulations (such as DORA, NIS2 and MiFID II) have been designed to protect critical infrastructure and the valuable institutions deemed more attractive to attackers because of their ability to pay high ransom fees: financial services, ICT providers, and essential sectors like transport and water. According to the IMF, global cyber attacks have more than doubled since the Covid-19 pandemic, while the size of extreme financial losses has quadrupled since 2017. 

The increased volume and sophistication of cyber attacks, combined with the reliance of critical sectors of the economy on digital infrastructure and data storage, has brought new areas under increased scrutiny – including time.

It’s about time

The unsettling scenario of timing data being used as an entry point for cyber attacks has become a reality in recent years. Take the example of the Ukrainian Power Grid, where NTP servers were taken over by attackers who then sent malicious timing information to the power grid – resulting in a large-scale malfunction and widespread power outages. 

Or that of the Mt Gox cryptocurrency exchange, which saw $450m worth of bitcoin stolen after cyber-attackers used several strategies including NTP hijacking, likewise to send malicious timing data and manipulate the exchange’s operating system.

These episodes place an unfortunate but overdue spotlight on the need for secure, resilient and accurate time for true cybersecurity. The need for timing solutions able to withstand attacks like these has become clear.

A new approach to cybersecurity

Naturally, governments want to protect their economies and the businesses critical to it from harm. To this end, several new regulations have been introduced to upgrade the common level of cybersecurity across the European Union – and all of them give time a crucial role. 

DORA, or the Digital Operational Resilience Act, applies to all financial institutions in the EU and mandates strict measures for operational resilience, including risk management, incident reporting, resilience testing and third-party oversight. This in turn creates new standards of time synchronisation, plus timing data and process documentation, and means businesses have to make sure that their timing systems are truly resilient. 

NIS2, or the Network and Information Systems Directive, applies to a wide range of businesses either designated as Operators of Essential Services or as Digital Services Providers. The former includes financial institutions, as well as sectors like ICT, transport and water; the latter covers areas such as cloud computing and search engines. NIS2’s requirements encompass risk management, incident reporting, operational changes and supply chain security, which means that access to accurate, synchronised time, with no stack jitter and with built-in resilience to spoofing or jamming, is essential for compliance. 

A slightly older, but still vital, piece of regulation is MiFID II (the Markets in Financial Instruments Directive). Thanks to this, financial institutions must now synchronise all their clocks to within a hundred microseconds of Universal Coordinated Time (UTC). The directive also demands high standards of speed and accuracy in financial transaction reporting, making precision timing into a priority for those affected.

An era of innovation

Fortunately for compliance purposes, necessity has bred innovation in the cybersecurity world, with a model based on shared infrastructure taking centre stage. The size of the global cybersecurity market was estimated at $222.6 billion last year, and is predicted to grow 12.3% year-on-year until 2030. And with this growth comes unprecedented development in cybersecurity solutions: several growing scaleups offer proof of innovation in this area. Take Corax, which provides data analytics and modelling to help businesses predict their cyber risk exposure, for example; or CryptaLabs, which focuses on eliminating the weaknesses in traditional encryption systems.  

In the timing arena, Hoptroff’s Traceable Time as a Service (TTaaS®) offers time as a utility to subscribe to, rather than as something individual institutions have to manage themselves. Businesses using our Smart Timing are able to easily demonstrate their compliance with legislation such as DORA and NIS2, with calibrated timekeeping mechanisms, comprehensive records of timing data, and transparent documentation of timing processes meaning we meet their standards of accuracy, reliability and transparency. 

Hoptroff Smart Timing includes time synchronisation with down-to-nanosecond accuracy, allowing you to fully trace events in your digital environment, while our Time Feed derives its time from multiple UTC sources for increased resilience to GPS/GNSS outage. We also conduct ongoing audits, security assessments and updates to ensure continued compliance. We have also built in robust security measures to protect sensitive timing data, including encryption protocols, access controls and auditing mechanisms, which safeguard against unauthorised access to, or manipulation of, timing information.

Ready to learn more? 

At Hoptroff, we have significant experience with compliance, and our expert team is always on hand to support institutions through the process. Contact us today to learn more about how Hoptroff can help with your cybersecurity requirements.