The DORA: strengthening the operational resilience of the financial sector

Does your entity have the capacity of withstanding all types of Information and Communication Technologies (ICT) related disruptions and threats? Are you struggling complying with the various ICT related regulations across EU? Are you sufficiently managing the risks due to an increased dependency on ICT services providers? The DORA will bring responses.

Karim Bouaissi, Consulting – IT Risk & Assurance Senior Manager / EY Luxembourg
Crédit photo : EY

As recognized by the European Commission in the financial services Digital Operational Resilience Act (“DORA”)[1] « ICT risks […] pose a challenge to the operational resilience, performance and stability of the EU financial system« .  Adopted on 24 September 2020 by the European Commission, the DORA which will be discussed and negotiated by the EU Parliament and the European Council, is strongly supported by the European Banking Authority, the European Securities and Markets Authority and the European Insurance and Occupational Pensions Authority, jointly referred as “the ESAs”. Many market participants will be therefore impacted by the DORA, from credit Institutions, stock exchanges, UCITS management companies, alternative fund managers to insurance companies, payment institutions and electronic money institutions.

Without waiting for the final adoption of the text, we see benefits and challenges for the financial entities in getting ready for these new requirements. Among the various points introduced by the DORA, we believe that the following are worthwhile to consider.

  1. For years, ICT risks were indirectly or partially addressed in an inconstant manner from different financial supervisors from Europe Members States, which resulted in the proliferation of national regulatory initiatives but also duplicated rules set out in the 2016 NIS directive[2]. While you may have entities across various locations and shared centralized systems, does it make sense to address ICT risks in an unharmonized way? Why will you in some cases need to have register of all your ICT risks and in other you will not? The DORA will bring a comprehensive framework and consistent rules covering ICT governance and risk management. We know the challenges of meeting the various ICT regulatory requirements and we have been assisting our clients from the entire financial sector landscape in their compliance journey from gap analysis to the implementation of organizational and technical measures to manage risks.

 

  1. New opportunities for service delivery to customers, reducing costs and improving flexibility in the conduct of business are some of the reasons why the financial entities outsource their IT services and systems to third parties. This increased dependency on ICT services providers is associated with risks resulting of service disruption or malfunctioning but also to a larger exposure to cyber-attacks. To some extent and except for few countries (e.g. the status of regulated PFS in Luxembourg, ICT services providers are outside of the regulatory perimeter. With the DORA, the critical ICT third-party providers (“CCTPs”) are brought into the game as they will be supervised by one of the ESAs ICT to ensure they do not pose undue operational risks for the financial sector. Aligning with EBA guidelines, certain key provisions will also be required to be incorporated into the contractual arrangements. Will you wait for the DORA to identify, evaluate, monitor and manage the risks associated with your ICT third parties? Ensure you have a Third-Party Risk Management Program[3] to assess the related ICT risks, review your contracts and perform due diligence on a regular basis.

 

  1. Resilience includes the ability to withstand and recover from deliberate attacks, accidents, or naturally occurring threats or incidents[4]. To increase this capacity and ensure entities are prepared when ICT related incidents or attack happen, the DORA strongly recommend having a full range of tests and perform not only basic penetration testing, vulnerability assessments, or scans, but also advanced testing of ICT tools, systems and processes based on threat led penetration testing (“TLPT”), carried out at least every 3 years. Financial institutions should also report test results and remediation plan to the competent authority. In addition, financial entities are required to have a defined process for ICT incident reporting as per the compulsory timeframe. The DORA promotes the idea of having a single EU Hub for major ICT reported incidents to facilitate the flow of information among financial entities.

 

Finally, it is worthwhile mentioning that DORA rules are also based on the principle of proportionality: while the rules cover all financial entities, their applicability will depend on the size of the entity, its activity, and overall risk it is subject to.

At EY, with our Cybersecurity and resilience services[5], we assist organizations in having trust in systems, design and data, so they can make transformational change and enable innovation with confidence. We are supporting various actors of the financial industry in designing, implementing or assessing the effectiveness and efficiency of ICT risk program, compliance position and how risks are managed now and going forward (resilience).

 

[1] Please see the Draft DORA proposal

[2]  Directive (EU) 2016/1148 of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union

[3] EY global third-party risk management survey highlights 2019–20

[4] Source NIST.SP.800-37r2

[5] What EY can do for you in cybersecurity strategy, risk compliance and resilience