In response to the European Union’s demand for increased operational resilience within the financial services sector, on 24 September 2020, the European Commission published a proposal for a new regulation – the Digital Operational Resilience Act (DORA). In this article, we explore the concept of operational resilience, the types of entities affected and the immediate impact on financial institutions and critical ICT third-party service providers.
CONCEPT OF DIGITAL OPERATIONAL RESILIENCE
Digital operational resilience is the ability to build, ensure and test the technological operational integrity of an organization. It ensures that an organization can continue to guarantee the continuity and quality of its services in the face of operational disruptions in information and communication technologies (ICT).
Examples of disruptions affecting ICT technologies include cyber-attacks and other incidents such as technology failures as well as malicious and non-malicious events.
AIM OF THE PROPOSAL
The existing EU legal framework for ICT risk and operational resilience in the financial sector is fragmented and to some extent inconsistent.
The financial sector is heavily dependent on information and communication technologies. This dependence makes financial entities particularly vulnerable to cyber-attacks or incidents. Moreover, the impact of an attack on or disruption to a key cross-border financial service can have far-reaching consequences for other companies, sub-sectors or even the rest of the economy. Therefore, digital operational resilience in the financial sector is of enormous importance for society as a whole.
DORA should ensure that all stakeholders in the financial sector have the necessary security measures in place to prevent or mitigate ICT-related cyber-attacks and other incidents.
TYPES OF ORGANIZATIONS AFFECTED BY DORA
According to the proposal, the DORA obligations would apply to all financial entities regulated at the EU level, namely:
- Financial entities such as credit and payment institutions, electronic money institutions, investment firms, crypto-asset service providers, alternative investment funds managers, management companies, insurance undertakings and intermediaries, credit rating agencies, audit firms, institutions for occupational retirement pensions, securities, trade and securitisation repositories, crowdfunding service providers.
DORA is not limited to regulated firms in the financial sector. The second part of DORA would impact businesses which provide ICT services to those financial entities, creating a level playing field for them:
- ICT third-party service providers such as providers of cloud computing services, software, data analytics and data centres.
MAIN PRACTICAL REQUIREMENTS OF DORA
DORA introduces requirements across five pillars:
1. ICT risk management: Financial entities will be required to create and maintain a sound, comprehensive and well-documented ICT risk management framework. This must include a dedicated and comprehensive business continuity policy, disaster recovery plans and a communications policy. Alongside this framework, financial entities will have to use and maintain ICT systems that meet certain requirements, allowing them to promptly detect anomalous activities, identify all sources of ICT risks on a continuous basis, design and implement security and threat-prevention measures, and promptly activate response and recovery measures.
2. ICT-related incidents: DORA will first and foremost harmonize and streamline the reporting of ICT-related incidents. Then, it will require financial entities to establish and implement a robust process for managing ICT-related incidents and implement early warning indicators. Financial entities will have to classify ICT-related incidents and report "significant" ICT-related incidents to a central EU hub.
3. Digital operational resilience testing: Financial entities will be required to conduct regular digital operational resilience testing by independent internal or external parties. Besides the requirements linked to the first pillar, your ICT risk management framework must also include a comprehensive digital operational resilience testing program, in consideration of proportionality principle. This program should include a range of assessments, tests, methodologies, practices and tools, procedures and policies to prioritize, classify and remedy defects and ensure all are fully addressed. The European Banking Federation (EBF) recommends allowing firms to test the main critical systems and applications following a risk-based approach. This approach should enable the consideration of sensible (multi-year) windows of time in light of the level of criticality.
4. Managing ICT third-party risks: DORA will prescribe certain strict content requirements for contracts between financial entities and ICT third-party service providers, including the locations where data is processed, service level descriptions, reporting obligations, rights of access as well as circumstances in which such contracts must be terminated.
5. Information sharing arrangements: DORA will allow financial entities to exchange cyber-threat information and intelligence among themselves.
The proposal now goes through the EU's ordinary legislative procedure. The draft law adopted by the European Commission on 24 September 2020 still must be submitted to the European Parliament for review and approval, among other things. A final version is not expected before the end of 2021. Once DORA is adopted, companies will have a transitional period to comply with most of the requirements.
Financial institutions that currently fall within the scope of the European Commission should assess the gaps between their operating model and the expanded regulations and should then start to plan accordingly to adapt to the upcoming changes.
To be prepared, we recommend that organizations take the following steps:
- Act now to improve your operational resilience! This is not a tick-box exercise.
- Perform a maturity assessment against the DORA requirements, with associated gap analysis and mitigation plan to reach compliance.
- Leverage the ongoing work on consolidation of the register of information for all ICT third-party providers as is currently imposed by the EBA guidelines on outsourcing.
- Start defining the range of assessments, test scenarios, methodologies, practices, tools and external parties needed to support the digital operational resilience testing program.
Capco has extensive experience in ICT risk management and can support the assessment of your digital operational resilience maturity as well as defining a framework for improved governance and mitigation plans.
To discuss and find out more, please get in touch. Our experts are here for you.
Alexandre Vandeput, Principal Consultant
M +32 499 755 200