On 16 January 2023 Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector (DORA) entered into force.
DORA aims to establish a comprehensive and cross-sectoral digital operational resilience framework with rules for all European regulated financial institutions. In addition, one of the most significant implications of DORA supervision those ICT third-party service providers that will be deemed critical to the institution.
Now, for the first time – ICT is regulated and there are specific requirements as to what regulators expect to see in terms of infrastructure and operational resilience.
The areas it mandates include:
- ICT risk management
- Reporting of ICT incidents
- Digital operational resilience testing
- Intelligence sharing on cyber threats and vulnerabilities
- Third-party risk management
- Contractual requirements for third-party ICT service providers
- Oversight frameworks for third parties
- There is also a voluntary section of DORA, which covers the sharing of cyber threats among institutions.
A two-day event, taking place on October 18-19, 2023 at ExCel London, is the premier event for risk professionals in the UK. With over 100 exhibitors, keynote presentations from over 200 experts and thought leaders, panel discussions, and breakout sessions, Risk London 2023 is the perfect place to learn about the latest in risk management.
- How to prepare for the Digital Operational Resilience Act (DORA)? - Wednesday 18th October, 10:00 AM - 11:00 AM - Security Theatre
The Digital Operational Resilience Act (DORA) is a new European framework for effective and all-inclusive management of digital risks in Financial Markets. With an implementation period of two years, financial entities will be expected to be compliant with the regulation by 17th January 2025.
How exactly will DORA affect the financial sector and its professionals? How will it shape the market and impact its actors? And more importantly, what can you do to prepare for such a demanding change?
- Bill Mew, Founder and CEO, Crisis Team
- Minesh Pandya, Director, Cybersecurity and Privacy, PKF GM
- Megan Brown LogicGate
The first interesting piece to highlight is the scope of DORA. It covers all European financial entities – from credit and payment institutions to investment firms to issues of asset-reference tokens and insurance, credit rating, crowdfunding and securisation repositories AND ICT third party service providers.
Another interesting concept is that there is now a regulatory requirement to manage properly 3rd party risk. For a long time, we have been looking at various piecemeal requirements – from regulators, legislators and other frameworks – on the topics of third party due diligence and operational relationship management. But now, the requirements are specifically outlined and include precise obligations for contractual arrangements. This is similar to the concepts of requirements for contractual arrangements in GDPR (i.e. Art 28). The requirements go further than – you must have a contract but actually outline the topics the contract must safeguard. A formal strategy should be established on third party risk by institutions and notably with the option for due diligence, audit, tender process and contractual termination & exit in relation to their 3rd party providers..
Digital operational resilience testing is a program that will have to be established, put in place and revised as appropriate. Interestingly, the large range of assessments, tests, methodologies, practices and tools should be undertaken on a risk based approach, by an independent party. This could have cost implications and risks around liability for companies procuring and providing these tests. Only through practice will we see what level of “certification” may be applicable and acceptable.
The people focus & behavioural aspect is the most exciting change we see from DORA. Finally! A regulation that captures all three elements of the triad of people, process and technology as it relates to cyber risk. Not merely focused on technology, DORA attempts to put requirements in place around process and the behaviour of people in financial institutions. Staff and senior management are now required to undertake compulsory training. The board will bear the ultimate responsibility, so they must be helped to understand the risk at hand.
An appropriate “learning” framework should be established to enable those responsible to glean information on vulnerabilities and threats, which should enable them to analyse and determine the likely impact on the organisations operational resilience. Regular training should ensure sufficient knowledge and skills to understand and assess ICT risks and it’s impact on operations.
Many parallels can be drawn between DORA and NIST framework requirements. The essential elements of Protect, Detect and Respond are all thrust to prominence. The compliance element for achieving operational resilience will sit with documented policies, KPI’s, and asset registers.
Along with testing and policies, every applicable institution is required to develop security awareness and digital operational resilience training for employees and consider whether third parties need this training too.
Naturally, being able to evidence this is an essential requirement. Reporting and analysis that is suitable to give the board the information they need in the way they need it, will be paramount in demonstrating compliance.
Organisations will have to show, not just that training was completed, but that behaviour is changing and risk is reducing. To demonstrate meaningful metrics, the risk will have to be categories against the risky security behaviours exhibited and real time results of how those risks are being managed and mitigated will be key to driving the risk rating down and the operational resilience up.
DORA will require a proper implementation plan in order for intuitions to be ready by January 2024, so it is essential that whatever you do, you start your awareness and behaviour change program now!
Register to attend this session at #RISK London
How to prepare for the Digital Operational Resilience Act (DORA)? - Wednesday 18th October, 10:00 AM - 11:00 AM - Security Theatre