About a-team Marketing Services

A-Team Insight Blogs

DORA Deadline Looms: Only 20% of Firms Ready with Stressed Exit Plans, Says Report

Subscribe to our newsletter

With less than five months before the EU’s Digital Operations Resilience Act (DORA) comes into full effect, a mere 20% of financial professionals report having adequate stressed exit plans in place for their critical Information, Communications and Technology (ICT) vendor agreements.

The stark revelation comes from the Supplier Stability in Operational Resilience report, commissioned by Escode, a software escrow solutions provider owned by NCC Group. The research comes in the aftermath of the CrowdStrike IT outage in July that saw thousands of businesses across the globe grind to a halt as a result of a faulty software update. This operational resilience event has underscored the need for greater digital supply chain resilience, particularly in critical sectors such as financial services.

The CrowdStrike event followed an earlier incident wherein clients of UniSuper, an Australian superannuation fund, were unable to access accounts after a ‘one-of-a-kind’ Google Cloud misconfiguration led to the provider’s private cloud account being deleted. UniSuper was able to eventually restore services because the fund had backups in place with another provider.

As financial services become more dependent on third parties within complex IT ecosystems, the risks of supplier disruption have grown significantly. In response, the G20 financial regulatory bodies, including the Bank of England, ESMA, the US Federal Reserve, the Office of the Comptroller of the Currency, and FDIC, have introduced stringent guidelines aimed at improving third-party risk management. These measures are designed to strengthen operational resilience throughout the financial sector.

Yet despite a strong push from financial regulators to embed this at all levels of the firm, it seems that only a minority of financial organisations currently adhere to regulatory requirements around third-party risk management (TPRM).

According to Wayne Scott, Regulatory Compliance Solutions Lead at Escode, “The financial industry faces a pivotal moment to fortify its supply chain management practices. Regulatory pressures are intensifying–and creating challenges that strain institutions and their customers. It is troubling that there is still considerable variability in how third-party governance is approached across the industry – particularly in light of events such as the CrowdStrike outage.”

“The fact that only a fraction of institutions has robust stressed exit plans is cause for real concern” notes Scott. “It’s not a matter of neglecting recommendations, but rather a need for better support and education on implementing these critical measures.”

DORA is the most prescriptive set of regulatory obligations enacted to counter the systemic effects of concentration risks from operational resilience events. The impacts on firms’ governance, policies, procedures, surveillance, executive accountability, and sponsorship are profound.

Firms are required to integrate ICT vendor risk management into their overall governance framework, establish comprehensive policies and procedures, implement continuous surveillance mechanisms, ensure executive accountability, and secure executive sponsorship for digital operational resilience initiatives.

These measures collectively are designed to enhance the firm’s ability to withstand, respond to, and recover from ICT-related disruptions and threats, thereby safeguarding the overall stability and security of the financial sector.

DORA mandates the inclusion of stressed exit plans in all ICT third party license agreements to prevent a critical supplier failure – from cloud outages to software companies failing – creating a major systemic disruption to the financial sector.

Yet despite global regulatory efforts and the imminent DORA obligations, the new survey suggests the industry remains alarmingly underprepared. Only a fifth of global professionals surveyed reported having stressed exit plans in place for 76-100% of license agreements, with just under a half reporting these were in place for 0-10% of agreements.

Just 19% of respondents expressed ‘complete confidence’ in their current third party stressed exit plans. DORA entered into force in January 2023 and with a two-year implementation period, and regulators are unlikely to extend the compliance deadline.

The Supplier Stability in Operational Resilience report draws from a survey of 107 respondents within financial institutions across the UK, North America, and Europe, supplemented by expert interviews conducted jointly with CeFPro, an international research organisation focused on the financial services sector.

Subscribe to our newsletter

Related content

WEBINAR

Recorded Webinar: Best practices for compliance with EU Market Abuse Regulation

EU Market Abuse Regulation (MAR) came into force in July 2016, rescinding the previous Market Abuse Directive and replacing it with a significantly extended scope of regulatory obligations. Eight years later, and amid constant change in capital markets regulation, technology and culture, financial institutions continue to struggle to stay on the right side of the...

BLOG

RegTech Summit London Delivered the Goods – Here’s What You Missed

By Reena Raichura, Founder of Finergise, Senior Fintech and Capital Markets Executive, FTSE 250 NED. As a strategic advisor, NED and capital markets SME, as well as keeping on top of all the cool technology and innovation that’s out there, I like to keep updated with the latest regulatory and compliance changes, so I was...

EVENT

TradingTech Summit London

Now in its 14th year the TradingTech Summit London brings together the European trading technology capital markets industry and examines the latest changes and innovations in trading technology and explores how technology is being deployed to create an edge in sell side and buy side capital markets financial institutions.

GUIDE

Regulatory Data Handbook 2024 – Twelfth Edition

Welcome to the twelfth edition of A-Team Group’s Regulatory Data Handbook, a unique and useful guide to capital markets regulation, regulatory change and the data and data management requirements of compliance. The handbook covers regulation in Europe, the UK, US and Asia-Pacific. This edition of the handbook includes a detailed review of acts, plans and...