Preparation continues for the Digital Operational Resilience Act
Operational resilience has been top of mind for regulators and financial services firms for the past few years. Since the pandemic’s start, the world has continued to demonstrate that disruption is happening and only increasing in frequency and complexity. The old way of managing risk and resilience programmes is no longer effective or efficient, and regulators have taken note.
Financial services (FinServ) firms are often the first to get the attention of regulators, but the push towards operational resilience extends far beyond FinServ. While the methodology or framework for resilience may differ, the expectations are clear: businesses must adapt to the changing environment, mitigate potential impacts, and continue to deliver important services to customers.
Increasingly, financial services supervisory authorities are seeking to ensure that third parties supporting a firm’s important business services meet all resilience requirements. A key focus has been on technology and data service providers (TSPs), as cyber attack incidents such as SolarWinds and Log4j have proven that third parties can present risks that significantly impact important business services. Currently, TSPs are subject to financial service providers’ requirements via contractual obligations (such as the European Banking Authority’s third-party outsourcing requirements).
One piece of legislation that is addressing these risks is the landmark Digital Operational Resilience Act (DORA), which has officially been adopted by the Council of the European Union. It is now a legal reality for impacted organizations and comes into force in 2025.
The DORA centres around five principles that can lead to operational resilience. Thankfully, the concepts aren’t new; it is actually similar to existing frameworks. It formalises existing third-party outsourcing requirements and provides more prescriptive guidance on regulatory expectations. Let’s take a look at the five overarching pillars of the DORA:
The five pillars of the DORA
1. Risk management
To meet the DORA’s standards, firms must update their technology risk management governance. The updated framework requires firms to identify important business functions and dependent risks, as well as map the TSP assets that run them. Firms are required to define their TSP risk tolerance based on each financial entity’s unique risk appetite and impact tolerances for TSP disruption.
2. Incident reporting and classification
The DORA unifies ICT-related (information and communications technology) incident management processes by introducing a standard incident classification methodology with a set of prescriptive criteria (including the number of users impacted, duration, geographic spread, data loss, impact to ICT systems, and criticality of services affected). Like other regulatory mandates, the DORA requires significant incidents to be reported to the regulator. Major incidents must be reported within the same business day and follow-up reporting will be due after a week.
3. Resiliency testing
Firms will be required to run comprehensive scenario testing/simulations that are focused on technical testing, including a broad range of practices, assessments, and tests. Testing requirements will be proportionate to a financial entity’s size, business, and risk profile. The most critical firms will also have to organize a large-scale, threat-led, live penetration test every three years (known as a red-team type exercise) that is performed by independent testers, covering critical functions and services, and involving EU-based ICT third parties. The scenario will have to be agreed upon by the regulator in advance and firms will receive a compliance certificate upon completion of the test.
4. Supply chain management and third-party risk
The DORA intends to help prevent systemic economic disruption by ensuring that sound third-party risk management practices are in force for critical TSPs. Financial entities must monitor risks from TSPs and the regulatory requirements address the elements that are considered crucial for end-to-end monitoring throughout the third-party relationship. This includes contracting, performance, termination, and post-contract stages of the vendor lifecycle.
5. Oversight framework
The DORA broadens the oversight framework to include information sharing, better audit access, and guidance on retrospective analysis.
- Information sharing
- To help raise awareness of ICT-related risk across jurisdictions and organizations and minimise its spread, the regulation allows covered financial entities to exchange information amongst themselves. This goal is to prevent the spread of cybercrime before a disastrous economic impact occurs and is akin to law enforcement agencies sharing information about terrorists or other criminals.
- Audit access
- The DORA grants regulators the ability to perform audits directly throughout the supply chain of impacted financial entities. While this helps to drive compliance and create a stronger supply chain, firms must understand their third parties and their contracts and be able to generate reports as well as supply information quickly.
- Retrospective analysis
- The DORA encourages the entire community to learn from disruptive incidents that occur. By studying and revising policy based on a collective set of incidents, improvements can be made to prevent multiple organizations from falling victim to the same type of incidents.
What can you do to prepare?
While the DORA aims to harmonise existing frameworks and standards, the proposed implementation timeline is aggressive and requires organizations to start preparing now. Here are five proactive steps that organizations can take to meet the requirements:
- Conduct a risk assessment, including a gap analysis, to ensure that your organization can meet the new requirements by the deadline of early 2025. Some of the requirements may be a heavy lift, so understand what you need to do now so that you’re not unprepared when compliance is expected.
- Partner with corporate compliance or learning and development teams to meet the legislation’s organization-wide operational resilience training requirements.
- Begin changing your organization’s incident classification methodology to align with the requirements in the DORA. You will also need to show the business processes and workflows to provide regulators with the proper notification if a major incident occurs.
- Start thinking about a scenario for the large-scale penetration test, aiming to get it validated by the regulator before the 2025 deadline. Be sure to engage your critical technology and data service providers in this process.
- Leverage technology to help you build an operational resilience programme quickly.
Author:
Chloe Swierzbinski, Director of Product Marketing, Fusion Risk Management
Get involved in BCAW 2023 and access more resources - follow the link below: