Meet the expert: Marjola Begaj to speak at #RISK Amsterdam

Taking place at RAI Amsterdam on September 27 and 28, #RISK Amsterdam examines the trends and best practices organisations are employing to navigate today’s rapidly evolving risk landscape.

Marjola Begaj is founder of Mab Innovations, and founder and Head of Production at OpenFinance#Podcast. She leverages a wealth of experience in software design, data management, regtech on privacy and cyber security matters, compliance and ethics within the financial and digital space.

Marjola will speak at #RISK Amsterdam to discuss the forthcoming Digital Operational Resilience Act (DORA), and how organisations can prepare to best effect.

Below, Marjola discusses her career to date and introduces the topics central to her #RISK Amsterdam panel.

Could you outline your professional pathway so far? 

I am the founder of a consultancy and tech company based in London, Mab Innovations Ltd – Beyond codes, a partnership between Humans, Businesses & Technologies and founder of OpenFinance#Podcast production. 

My journey has been a modest but fascinating so far. I have been working and living between Italy & UK in the last years and met great leaders and people, watching closely some of the most interesting topics on cyber, privacy, regulations, technologies and innovations taking place all around us mostly in UK and Europe. 

I have a legal education, with a strong aptitude on European Regulations, but also on Information technology and have gained over the years through learning and experiences a more in-depth understanding of different aspects of digital transformation and the impact it has on special sectors.  

Since 2015, I have been involved with the connection between financial and cyber space, and have insights from a compliance perspective through the ICA Diploma on Financial Crime Prevention. My expertise from a digital perspective comes through digital leaders’ ecosystem and various forums, congresses and workshops I have participated in – GRC, Infosec, Big data, AI, Blockchain etc.

Some public interventions on innovation and digital transformation and related matters:

- A paper on privacy issues emphasizing only some aspects of security and company policies in place in view of the new GDPR regulation (iCyber magazine - September 2018)

- How SMEs can lead and innovate (speech proposed at Digital Week London- June 2019)

- Deep decision as a service (DDaaS) - DD Project: A Think Tank for Ethical Collective Intelligence and Complex Decision-Making tool (a multipeople project – 2020/2021)

- “Content, Design, Vision – Working together” (webinar presentation al ITSM Summit – August 2020)

- A paper on ESG issues (reflections and analysis in collaboration with ICA, International Compliance Association - February 2022)

How will the Digital Operational Resilience Act (DORA) impact the financial sector?

Two main sectors such as Financial and ICT are coming to a more holistic approach in their interactions and possibly, we will have an increased awareness of the impact generated by the application of DORA and other related regulations in the years to come.

We can certainly recognise that:

• DORA Regulation is part of a wider intervention, the so-called ‘EU Digital Finance Package’ (we can recall the MICA Act on Crypto assets of the DLT Act on blockchain technology) which aims to enable and further support the potential of digital finance in terms of innovation and competition, and at the same time mitigating the risks for consumers, businesses and, in general, the financial stability of the Union.
• DORA raises the standards from National to Union level and possibly will have an impact on a global level too.
• DORA Regulation crosses the context of different frameworks and regulations applicable to the various segments of the Financial Services such as CRD/CRR, PSD2, EMD2, EBA Guidelines, MiFIR, EMIR, MiFID2, ESMA Guidelines, SOLVENCY II, GDPR, SFDR, NIS2 Directive, TIBER- EU Framework. This will require more work for all to understand, assess, implement, comply by reviewing the various interactions.
• The main aim is to improve and simplify activities of financial entities with regard to the management of ICT and Cyber risks, through harmonisations of the rules relating to operational resilience for the financial sector applying to 21 different types of financial entities. Hopefully the harmonisation process will have medium and long-term effects for a more transparent and competitive market.
• From the supervisory perspective, DORA aims at increasing supervisory awareness on cyber risks and ICT related incidents faced by financial entities and also introduces a framework to oversee the systemic and concentration risks posed by the financial sector’s reliance on ICT third party service providers. The increased awareness will be used to design and improve the overall European Economic and Digital Strategy in the years to come.

The impact will be huge on a practical level for it forces financial entities to think more about cyber and at the same time to cooperate with ICT service providers to design, to innovate and be more resilient together.  It forces a cultural change as well, for financial and digital are no more exclusive goods of few players but belong to and are made by many. As such, the sector should better serve as many as possible, but at the same time the bar will raise on the quality of digital finance that we will experience in future.

What key challenges do financial organisations face as they move to comply with the regulation by 17 Jan 2025?

Every financial organisation within the scope of DORA and having regard to the proportionality principle is being challenged to address various aspects of the whole ICT Structure and Management in the next less than two years, both in understanding and implementing. 

Carefully considering the context, the costs, the technology and legacy that each have, complying will be a demanding task. However, as a starting point, looking at the main parts of DORA Act, the first considerations should be done by conducting their first related gap analysis and assessments within these areas and in this way finding out the criticalities and challenges. From here, it’s about designing the right roadmap to implementation.

The whole regulation is being constructed around these main themes (or main pillars). In each, we come across on key matters to address. Without going into details, financial entities have to map and conduct their journey on:

1. ICT Governance & Risk Management:

What’s in place, what’s missing, defining clear roles and responsibilities, acknowledging the fact that overall responsibility stands on top of the financial entity and includes all the measures, tools, procedures, policies, functions as below from testing to agreements to disclosure and so on.

2. Cyber Incident Management:

Similarly, it’s the what, how, who, and ensuring procedures are properly manged. This point considers the so-called crisis communication plan with policies and function for a responsible disclosure of major ICT related incidents to be implemented.

3. Digital Resilience Testing:

This is very important and to be done on all levels, from physical penetration testing to source code analysis, technical, documental, TLPT, pooled testing and so forth; it will require expertise, independence, ongoing testing and improving.

4. Third Party Risk Management & Agreements:

This calls for an end-to-end TPRM Framework, covering all aspects (from information security standards, pre-assessment of ICT concentration risks etc.), as required by the regulation having extra regard to those ICT services supporting a critical or important function, hence the prior assessment in defining these functions and making sure they are not put at risk during the agreement phase all through the exit strategy. 

All agreements should be characterised by elements that are being considered essential which aim at the minimum harmonisation at EU level. As mentioned earlier, new supervisory powers are being designed to assess risks posed by critical third-party service providers. It is also important to mention that there is a fee on top of these TPPs (third party providers) to cover the cost of the supervisory function.

5. Information Sharing:

This will be a highly challenging option for financial entities but should be seen in a positive light. Followed through properly, this will help in creating a common pool of understanding of cyber threat information and intelligence, which in turn will allow for future planning of a cyber resilience strategy within the Union.

6. The Oversight Framework & the Lead Overseer

Particular consideration should be invested for the Oversight Framework, a designation process which will be conducted by supervisory authority with some important exemption as well. This will set the standard for future assessments on critical ICT service providers and a new role, the Lead Overseer with significant powers and responsibilities.

Also, competent authorities will have important rights on accessing and executing their duties.

7. In addition to the Regulation, detailed aspects will be defined through Regulatory Technical Standards (RTS) regarding:

• ICT risk management tools, methods, processes and policies
• Classification methods of ICT incidents.
• Content and format of ICT incident reporting to the competent authorities
• Contents and modalities for the implementation and updating of the register containing information on all agreements with ICT providers.
• Content and methods of supervision of providers of critical ICT functions.

So, it’s about teamwork, expertise, and cooperation between roles. Meeting these standards will demand upgrading, training, and readiness to change and to face the core issues. But it will also necessitate being open, flexible and attentive to key aspects of today and tomorrow’s developments.