Operational resilience has been top of mind for regulators and financial services firms for the past few years. Since the pandemic’s start, the world has continued to demonstrate that disruption is happening and only increasing in frequency and complexity. The old way of managing risk and resilience programs is no longer effective or efficient, and regulators have taken note. Financial services firms are always the first to get the attention of regulators, but the push towards operational resilience extends far beyond FinServ. While the methodology or framework for resilience may differ, the expectations are clear: businesses must adapt to the changing environment, mitigate potential impact, and continue to deliver important services to customers.
Increasingly, financial services supervisory authorities are seeking to ensure that the third parties that are supporting a firm’s important business services meet all resilience requirements. A key focus has been on technology and data service providers (TSPs), as cyberattack incidents such as SolarWinds and Log4j have proven that third parties present risks that significantly impact important business services. Currently, TSPs are subject to financial service providers’ requirements via contractual obligations (such as the European Banking Authority’s third-party outsourcing requirements).
One legislation addressing these risks is the landmark Digital Operational Resilience Act (DORA). It has officially been adopted by the Council of the European Union and is now a legal reality for impacted organizations with an aggressive implementation timeline and compliance deadline of 2024.
The DORA centers around five principles that can lead to operational resilience. Thankfully, the concepts aren’t new; the DORA is actually similar to existing frameworks. It formalizes existing third-party outsourcing requirements and provides more prescriptive guidance on regulatory expectations. Let’s take a look at the five overarching pillars of the DORA below.
The 5 Pillars of the DORA
- Risk Management
To meet the DORA’s standards, firms must update their technology risk management governance. The updated framework requires firms to identify important business functions and dependent risks and map the TSP assets that run them. Firms are required to define their TSP risk tolerance based on each financial entity’s unique risk appetite and impact tolerances for TSP disruption.
- Incident Reporting and Classification
The DORA unifies ICT-related (information and communications technology) incident management processes by introducing a standard incident classification methodology with a set of prescriptive criteria (including the number of users impacted, duration, geographic spread, data loss, impact to ICT systems, and criticality of services affected). Like other regulatory mandates, the DORA requires significant incidents to be reported to the regulator. Major incidents must be reported within the same business day, and follow-up reporting will be due after a week.
- Resiliency Testing
Firms will be required to run comprehensive scenario testing/simulations that are focused on technical testing and that include a broad range of practices, assessments, and tests. Testing requirements will be proportionate to a financial entity’s size, business, and risk profile. The most critical firms will also have to organize a large-scale, threat-led, live penetration test every three years (known as a red-team type exercise) that is performed by independent testers, covering critical functions and services and involving EU-based ICT third parties. The scenario will have to be agreed upon by the regulator in advance, and firms will receive a compliance certificate upon completion of the test.
- Supply Chain Management and Third-Party Risk
The DORA intends to help prevent systemic economic disruption by ensuring that sound third-party risk management practices are in force for critical TSPs. Financial entities must monitor risks from TSPs, and the regulatory requirements address the elements throughout the third-party relationship that are considered crucial for end-to-end monitoring. This includes contracting, performance, termination, and post-contract stages of the vendor lifecycle.
- Oversight Framework
The DORA broadens the oversight framework to include information sharing, better audit access, and guidance on retrospective analysis.
- Information Sharing
- To help raise awareness of ICT-related risk across jurisdictions and organizations and minimize its spread, the regulation allows covered financial entities to exchange information amongst themselves. This goal is to prevent the spread of cybercrime before a disastrous economic impact occurs and is akin to law enforcement agencies sharing information about terrorists or other criminals.
- Audit Access
- The DORA grants regulators the ability to perform audits directly throughout the supply chain of impacted financial entities. While this helps drive compliance and create a stronger supply chain, firms must understand their third parties and their contracts and be able to generate reports and supply information quickly.
- Retrospective Analysis
- The DORA encourages the entire community to learn from disruptive incidents that occur. By studying and revising policy based on a collective set of incidents, improvements can be made to prevent multiple organizations from falling victim to the same type of incidents, like the SolarWinds cyberattack.
What Can You Do to Prepare?
While the DORA aims to harmonize existing frameworks and standards, the proposed implementation timeline is aggressive and requires organizations to start preparing now. Here are five proactive steps that organizations can take to meet the requirements:
- Conduct a risk assessment, including a gap analysis, to ensure that your organization can meet the new requirements by the DORA’s deadline of early 2024. Some of the requirements may be a heavy lift, so understand what you need to do now so that you’re not unprepared when compliance is expected.
- Partner with corporate compliance or learning and development teams to meet the legislation’s organization-wide operational resilience training requirements.
- Begin changing your organization’s incident classification methodology to align with the requirements in the DORA. You will also need to show the business processes and workflows to provide regulators with the proper notification if a major incident occurs.
- Start thinking about a scenario for the large-scale penetration test, aiming to get it validated by the regulator before the 2024 deadline. Be sure to engage your critical technology and data service providers in this process.
- Leverage technology to help you build an operational resilience program quickly.
Did you know that the Fusion Framework® System™ is purpose-built to help you meet operational resilience requirements such as the DORA? For more information, contact your Account Manager or request a demo.