On 28th November 2022, the European Council formally adopted the Digital Operational Resilience Act (DORA), new legislation designed to strengthen the IT security of financial entities such as banks, insurance companies and investment firms.Originally proposed in September 2020 as part of a larger European digital finance package, DORA’s recent adoption by the EC is the final step in the legislative process before it is passed into law by each EU member state. At the same time, the relevant European Supervisory Authorities (ESAs) will develop technical standards for all financial services institutions to abide by. The respective national competent authorities will then take on the role of compliance oversight and enforce the regulation as necessary.
What is DORA?
DORA creates a regulatory framework, homogenous across all EU member states, whereby all in-scope firms need to make sure they can withstand, respond to and recover from all types of ICT-related disruptions and threats.
The Act sets out uniform requirements for the security of network and information systems of firms operating in the financial sector. As an EU Act, DORA focuses on the harmonisation of rules in Europe and does not apply directly in the UK, although UK firms conducting business in Europe will still be subject to its requirements.
The UK authorities have their own approach to operational resilience, laid out by the Prudential Regulation Authority (PRA) earlier this year, which are broadly aligned with DORA. There are differences however, says Rogier Binsbergen, Director at S&P Global Market Intelligence.
“One specific thing that is different from the UK and EU perspective is how criticality is defined,” he says. “In the EU, and under DORA, this will be called critical and important functions. In the UK, they call it important business services, so they look at it from a business perspective. In essence, you could say it’s the same thing, but the definition matters. In the long run, this still needs to be harmonised, to have one really good definition of what it is that we want to ultimately focus on to protect the financial system as a whole.”
Another difference is that DORA focuses specifically on the digital aspect of operational resilience, whereas the UK regulations are a little broader, covering physical security and resources such as personnel, etc.
Third Party Risk Management
An important aspect of DORA is that it applies not only to financial entities, but also to their ICT third-party providers designated as ‘critical’, through a newly established oversight framework. These critical third party providers (CTPPs) will be subject to extensive supervisory powers from the ESAs, who will be able to assess them, ask them to change their practices, and sanction them where necessary. This means that it is essential for firms to assess what’s critical and what isn’t, says Binsbergen.
“It’s fundamental that you define what are the critical functions and services in your organisation,” he says. “Then it’s important to define all the processes that support those critical services or functions, and then at the next level, the dependencies required to support those processes, which can be a variety of applications, networks, people, and so on. Once you’ve mapped all that – which is quite an exercise – any third parties that support those critical functions, processes or dependencies, should then be labelled as critical third parties from your organisation’s perspective.”
Another key pillar of DORA is the requirement for firms to adopt a robust and comprehensive testing programme covering ICT tools, systems and processes, including those provided by third parties.
“Industry participants are going to have to do rigorous testing every year, to make sure they meet certain thresholds around risk scenarios, report on that, and also take any corrective actions,” says Yousaf Hafeez, Head of Business Development, Radianz at BT Global. “Those firms that are dependent upon their technology vendors – whether they are CTPPs or not – will be reliant upon those vendors to help them with the required testing.”
Firms designated as ‘systemically important’, will also need to conduct advanced threat-led penetration testing every three years.
“One of the most important things that comes up with DORA is the requirement for threat-led penetration testing,” says Marlena Efstratopoulou, Chief Risk Officer at Options Technology, the managed services and infrastructure provider. “Previously, many organisations would just engage with a third party to tick that box for that particular calendar year. DORA requires you to go a step further, by engaging with an organisation whose main goal is to expose and exploit any risks, vulnerabilities or holes you have in your systems. And that will be what defines your risk management and drives a lot of your processes. So in a way, it’s moving security from a compliance-driven approach to a risk-based, practical approach.”
Contractual Implications for Vendors
DORA sets out various requirements for contractual arrangements between firms and their third-party ICT suppliers, which are broadly aligned with existing European Banking Authority (EBA) guidelines on outsourcing arrangements. But firms will need to look closely at what they have in place now versus what they need to do to comply with DORA, suggests Efstratopoulou.
“You need an internal audit or compliance department or a senior person who’s responsible for these activities to conduct a gap analysis between the regulations you already comply with and what DORA requires,” she say. “Ideally, you want to have a universal compliance framework, listing all the controls that are applicable for each region, mapped across the different regulatory requirements. And if there are specific requirements or if there are more features or controls required, that’s the point where you define your baseline, and obviously you try to adhere to the more stringent requirements.”
The increased obligations that DORA places on third parties mean that service level agreements need to be very clearly defined, says Hafeez.
“Firms need to reach out to their CTPPs and ask them for detailed policies around critical processes and get those nailed into strict SLAs,” he says. “Critical providers will have to step up and offer an additional layer of services beyond what they offer today. They need to be able to offer resources at times when their customers are performing their resilience testing, and – very importantly – working with their customers to take corrective action, if any is deemed necessary.”
“It’s important to have strict SLAs right through the supply chain,” adds Efstratopoulou. “So the end client has SLAs with the bank or the hedge fund, who has SLAs with us, which are more stringent than what they have with their clients. And we have SLAs with our third-party providers. In fact at Options, this is why we ended up going into partnerships with a lot of our own critical third parties, because the only way we can get SLAs from big cloud or datacentre providers for example, is if we are in a partnership agreement rather than a standard client contract.”
Although ultimate responsibility for managing a regulated firm’s ICT risks will lie with the management body of that firm, CTPPs will certainly face greater scrutiny under DORA, says Guy Warren, CEO of ITRS, the monitoring and analytics software company.
“I expect the pressure to be passed on,” he says. “As senior people within financial organisations come under pressure and/or have an investigation running and/or get a fine, they’ll pressurize their people internally, but they’ll also turn to their vendors, particularly SaaS or third party vendors. They’ll want those vendors to be as accountable as they are, even though they’re tech companies. And those tech companies will want to pass that pressure on to their third party providers too”.
Does this mean that software companies and managed service providers could potentially face large fines if they are in breach of DORA?
“Software vendors can’t take indirect liabilities,” argues Warren. “The amount of money a bank makes compared to what they pay a vendor for software is massively disproportionate. A bank can take a $10 million fine, but if they’re only paying a vendor $100,000 a year, it would be nuts for the vendor to take that risk on. So I doubt the regulators will come directly to the tech firms, they’ll do it through the regulated entity. But in terms of which third parties will come under the regulated entities’ scrutiny, that’s pretty far-reaching.”
It’s clear that DORA is likely to have a significant impact on both financial firms and their technology partners. So what are the key steps that firms and their CTPPs should be taking now?
“To prepare for DORA, first of all you have to build a Third Party Risk Management (TPRM) function and operations,” says Binsbergen. “Firms who are not at that stage yet really have to move fast. DORA has now been adopted by the European Parliament and in two years’ time, you will have to be compliant with all those rules. In the meantime, more detailed regulatory technical standards will be developed and published by the ESAs, providing more granularity on what you have to do. But the key thing is to take action. Perform a gap analysis against DORA, see where you lack and start building. Then perform a risk assessment on your third parties and distinguish in particular critical versus non-critical third parties. That’s a heavy task. And think about how you can use data, in particular data screening, to classify at an early stage where you want to do in-depth due diligence versus where you want to do maybe a lighter assessment.”
Subscribe to our newsletter