With less than five months before the EU’s Digital Operations Resilience Act (DORA) comes into full effect, a mere 20% of financial professionals report having adequate stressed exit plans in place for their critical Information, Communications and Technology (ICT) vendor agreements.
The stark revelation comes from the Supplier Stability in Operational Resilience report, commissioned by Escode, a software escrow solutions provider owned by NCC Group. The research comes in the aftermath of the CrowdStrike IT outage in July that saw thousands of businesses across the globe grind to a halt as a result of a faulty software update. This operational resilience event has underscored the need for greater digital supply chain resilience, particularly in critical sectors such as financial services.
The CrowdStrike event followed an earlier incident wherein clients of UniSuper, an Australian superannuation fund, were unable to access accounts after a ‘one-of-a-kind’ Google Cloud misconfiguration led to the provider’s private cloud account being deleted. UniSuper was able to eventually restore services because the fund had backups in place with another provider.
As financial services become more dependent on third parties within complex IT ecosystems, the risks of supplier disruption have grown significantly. In response, the G20 financial regulatory bodies, including the Bank of England, ESMA, the US Federal Reserve, the Office of the Comptroller of the Currency, and FDIC, have introduced stringent guidelines aimed at improving third-party risk management. These measures are designed to strengthen operational resilience throughout the financial sector.
Yet despite a strong push from financial regulators to embed this at all levels of the firm, it seems that only a minority of financial organisations currently adhere to regulatory requirements around third-party risk management (TPRM).
According to Wayne Scott, Regulatory Compliance Solutions Lead at Escode, “The financial industry faces a pivotal moment to fortify its supply chain management practices. Regulatory pressures are intensifying–and creating challenges that strain institutions and their customers. It is troubling that there is still considerable variability in how third-party governance is approached across the industry – particularly in light of events such as the CrowdStrike outage.”
“The fact that only a fraction of institutions has robust stressed exit plans is cause for real concern” notes Scott. “It’s not a matter of neglecting recommendations, but rather a need for better support and education on implementing these critical measures.”
DORA is the most prescriptive set of regulatory obligations enacted to counter the systemic effects of concentration risks from operational resilience events. The impacts on firms’ governance, policies, procedures, surveillance, executive accountability, and sponsorship are profound.
Firms are required to integrate ICT vendor risk management into their overall governance framework, establish comprehensive policies and procedures, implement continuous surveillance mechanisms, ensure executive accountability, and secure executive sponsorship for digital operational resilience initiatives.
These measures collectively are designed to enhance the firm’s ability to withstand, respond to, and recover from ICT-related disruptions and threats, thereby safeguarding the overall stability and security of the financial sector.
DORA mandates the inclusion of stressed exit plans in all ICT third party license agreements to prevent a critical supplier failure – from cloud outages to software companies failing – creating a major systemic disruption to the financial sector.
Yet despite global regulatory efforts and the imminent DORA obligations, the new survey suggests the industry remains alarmingly underprepared. Only a fifth of global professionals surveyed reported having stressed exit plans in place for 76-100% of license agreements, with just under a half reporting these were in place for 0-10% of agreements.
Just 19% of respondents expressed ‘complete confidence’ in their current third party stressed exit plans. DORA entered into force in January 2023 and with a two-year implementation period, and regulators are unlikely to extend the compliance deadline.
The Supplier Stability in Operational Resilience report draws from a survey of 107 respondents within financial institutions across the UK, North America, and Europe, supplemented by expert interviews conducted jointly with CeFPro, an international research organisation focused on the financial services sector.
Subscribe to our newsletter