The European Union (EU) is implementing the Digital Operational Resilience Act (DORA) as part of its drive to reduce the vulnerabilities and strengthen the resilience of critical organisations such as banks, insurance companies and investment firms. It is primarily designed to consolidate and upgrade Information and Communications Technology (ICT) risk requirements so that all participants are subjected to the same set of standards.
DORA addresses areas of cyber, resilience testing, third-party outsourcing, incident reporting and ICT risk management. DORA also introduces a framework to aid financial services firms in their oversight and assurance of critical third parties, which includes Cloud Service Providers (CSPs).
To be or not to be resilient
DORA calls on financial services organisations to address “any reasonably identifiable circumstance in relation to the use of network and information systems”
Firms who consider DORA to be a fundamental aspect of resilience, will likely, expect the same of critical partners and suppliers, raising standards across the financial services ecosystem. Firms operating to higher standards, will build trust and provide greater benefits to consumers and the market.
DORA expects the management group of financial services to be accountable for all components relating to ICT risk and Cyber threat. With a well-informed management cadre leading from the front, firms stand a far greater chance of making better decisions to prevent disruptions.
Decisions that may have gone another way (spending/complexity challenges for any tooling solutions) can now be sense checked against DORA. For example:
- Do we have a reasonably identifiable threat?
- Do we understand the nature of the threat?
- Are the sources credible? Making use of trusted sources such as the National Cyber Security Centre (NCSC) would be a good starting position.
The 5 Pillars in the DORA Regulation:
So, what are the main obligations of DORA?
- ICT Risk Management: DORA sets out several key requirements for firms to establish and maintain resilient ICT systems that seek to minimise the magnitude from any disruptive event. ICT risk should be continually, and proactively identified, and preventative controls uplifted and maintained, to ensure that they are always effective and fit for purpose. Given that firms realistically won’t be able to prevent every threat, they must maintain a readiness to respond when a disruption does occur. This means creating, maintaining, and testing BCM and DR plans to ensure prompt recovery following a disruptive event. Lastly, firms must incorporate lessons learned from any disruptive event feeding back to the proactive risk identification, prevention, and detection stages.
- ICT Incident Reporting: A process should be established to monitor and capture ICT-associated incidents. The firm should establish mechanisms that develop capabilities to monitor, manage, and follow up on incidents including reporting incidents to the appropriate authorities using a common template. In addition, the firm should submit regular update reports on ICT incidents to its users and clients.
- Digital Operational Resilience Testing: Firms should implement, and regularly conduct, a proportional and risk-based digital operational resilience testing program. In addition, firms should conduct Threat Led Penetration Testing (TLTP) to address higher levels of risk exposure. Where testing identifies weaknesses or gaps, these must be addressed with uplifted or new preventative measures to prevent re-occurrence.
- ICT Third Party Risk: Firms should ensure that critical third parties are treated as an extension of their ICT Risk Management Framework which means firms must monitor and manage any risks where a third party is a critical component of a service or ICT application.
- Information sharing: Firms should create and maintain a process to share cyber threat information and intelligence, provided that such exchange of information aims to enhance ICT resilience across the financial services sector.
What does DORA mean for UK Financial Entities?
Earlier this year, the UK Government hinted that it would implement a DORA equivalent. The UK Regulators (FCA and PRA) have been driving improvements in Operational Resilience in recent years.
In July 2022, the FCA published a discussion paper on ‘Critical Third Parties’ (DP22/3: Operational Resilience: Critical Third Parties to the UK Financial Sector) which is a key element in the DORA proposal. DP22/3 is in response to the increased reliance on third-party services supporting the financial services industry.
A key message from this discussion paper is that the UK supervisors should hold firms accountable for their Operational Resilience, whether or not they rely on third parties. It will be very interesting to see these developments mature and unfold. Watch this space for further related articles.
How FourthLine can help
FourthLine's technology risk and data resilience consultancy team can conduct a full review of your firm's current data and technology infrastructure and identify key risks and vulnerabilities to focus on.
Enquire about our Technology and Data Risk consulting services here>
