The EU's - Digital Operational Resilience Act: 5 Things Firms Need to Know

Published by Ben Saunders - OpRes Founder

Roughy a 6-minute Read

In our previous blog, we discussed why firms must treat operational resilience as a strategic imperative. Whilst just this week, I shared a data publication by the FCA which illustrated the volume of operational and security-related incidents across the United Kingdom's retail banking landscape between 1st July 2019 and 30th June 2020. At a time when the retail banking landscape is becoming increasingly reliant on digital channels. It was interesting to see 88 incidents reported against just 28 regulated firms during that period. Or, just over one major outage every 4 days, across the U.K.’s retail banking estate! 

Back in September 2020, it was perhaps a welcomed announcement then, that the European Commission unveiled its legislative proposals on digital operational resilience, comprising a draft regulation called the Digital Operational Resilience Act (DORA) alongside a proposed directive for firms to consider. 

For many people I speak with, this was a little-known announcement. However, it is one that will undoubtedly have an impact on the operational resilience landscape. So, what exactly is DORA and what do financial institutions need to address in order to comply with these impending policies?  

What Exactly is DORA?

The DORA aims to establish a clearer underpinning for EU financial regulators and supervisors to be able to expand their focus from ensuring firms remain financially resilient to also making sure they are able to maintain resilient operations through a severe operational disruption. These movements correlate with the various regional policies, regarding operational resilience,  published by regulators over the course of 2020 and 2021.

By establishing DORA, it is expected that firms will establish, or mature oversight frameworks for their information technology systems. However, rather than the typical siloed and fragmented approaches, you would expect on a firm by firm basis. DORA is aiming to harmonise practices around digital resilience testing and risk management. As well as incident classification and reporting. In addition, DORA will aim to create an EU-Level oversight framework to identify and govern third-party service providers that are deemed critical for financial institutions.

This will be no easy undertaking. Attempting to maintain standard testing, audit, and reporting practices across a single firm is challenging enough. Extrapolating this across the EU will take time and further consultation between firms and regulators will most likely continue for the next 12-18 months before a revised set of legislative standards are published. 

What are the key focus areas for DORA? 

There are 5 key pillars that firms will need to consider and pay attention to as these publications become formal policy. Let's break these down: 

1. Technology & Risk Management

Senior management across firms will be expected to define, approve, oversee and be continuously accountable for a firm's ICT risk management framework.  This will include the appropriate structure, processes, and controls across the following areas: 

  • Establish resilient technology platforms and toolchains that expedite the identification of and minimise technology risk.

  • Implement business continuity policies, disaster, and recovery plans. Where disruptions are experienced across important business services. 

  • Ensure the firm has qualified people suited to its size, business, and risk profile. 

  • Put in place incident review procedures following incidents of significant disruption to ensure that continuous improvement practices are put in place. 

2. Standardised Incident Classification & Reporting

Each institution is often a unique snowflake and will classify outages using different types of risk weighting. This is usually predicated on a firm's risk appetite and their level of financial risk to their customers and the market. DORA is aiming to harmonise how incidents are reported as well as the requirements for reporting these incidents and the documentation which is required to track them through to resolution. This will require firms to: 

  • Establish or mature processes to identify, track and classify technology incidents. 

  • Report major incidents and outages to regional authorities and regulators who will then share this data with a single European-wide body. 

 

3. Digital Resilience Testing

In our previous blogs, we have touched on the importance of firms being able to map their important business services and test for likely but extreme scenarios. DORA is placing a similar emphasis on firms to ensure that they provide evidence of testing their risk management frameworks on a regular basis. In the same vein as the policies published by the FCA and PRA this testing is intended to identify and address weaknesses, deficiencies or gaps that may exist across a firm's technology estate. Invariably, this will not be a one size fits all process and testing will need to be adjusted based on the firm's size, the products it sells, and its risk profile to customers and the wider market.

4. Third Party Risk Management

Third-party risk management is a topic which we keep talking about and probably rightfully so. In the last week, outages experienced by third-party content delivery network (CDN) providers like Cloudflare and Akamai have caused disruptions across the financial services sector. As the reliance on cloud hosted services increases exponentially, so may these industry-wide outages who utilise the same managed offerings. 

DORA is pushing firms to ensure that they monitor risks across their technology systems provided by 3rd and 4th party suppliers. This will include:

  • Ensuring firms assess and identify potential concentration risks with 3rd party service providers and any outsourcing agreements to subsequent 4th party providers. 

  • Standardisation, where possible, of outsourcing contracts with 3rd party providers to ensure provisions and information is consistent across the industry. 

Furthermore, DORA is also contemplating the creation of an EU-wide oversight framework that will identify and oversee 3rd party service providers that are deemed to be “critical” for financial entities. Over time, this could mean increased scrutiny and governance of cloud service providers, Telco’s, network carriers, and potentially professional service organisations. The proposals suggest that where a critical provider is identified that they will be assigned to a lead overseer in the form of the EBA, ESMA, or EIOPA. 

5. Information Sharing

Over time, DORA will facilitate arrangements between financial entities to exchange cyber threat information and intelligence amongst themselves. This is not too dissimilar to existing practices that are being established across the U.K., finance sector. Where these information-sharing relations between firms are becoming common practice. 

In Conclusion: 

Over the course of this blog, we have seeded discreet similarities and overlaps with many of the recent policies published by the FCA & PRA in the U.K. Whilst there are also synergies with recent publications from the likes of The OCC, The Fed and MAS. Many of the recommendations put forward by DORA should not come as a surprise to the more mature firms who have been applying sound IT Service Management practices for decades. However, for this type of regulation to deliver on what it promises, we believe that it cannot be a pen and paper reporting exercise. 

Indeed, a real-time, low administration reporting capability needs to be established where information can be shared freely and securely across firms and regulators. As such, the likely outcome will be that firms and the regulators will look to leverage infrastructure and technology solutions that are provided by the very organisations they are looking to place a great level of oversight on. 

Watch this space closely and we will aim to share some further insights and recommendations on how your firm can start to tackle these targets as the policies become formalised over the next 12-18 months. 

Previous
Previous

OpRes Show & Tell 2 - Introducing The Operational Resilience Hub

Next
Next

Why Firms Need to View Operational Resilience as a Strategic Imperative