The EU’s Digital Operational Resilience Act (DORA) was first proposed in 2020 seeking to harmonise ICT risk management practices across the EU’s financial sector by prescribing a unified approach to internal and third-party ICT risk management. With the implementation deadline fast approaching, there is work to be done, and in-scope institutions must ensure they have the necessary frameworks in place to adhere to the new ICT risk management and reporting mechanisms.
Operational resilience is rapidly making its way up the regulatory agenda as policymakers and supervisors direct their attention to the risks stemming from an ever-increasing reliance on Information Computer Technology (ICT). Traditionally, the EU has focused on requirements for effective governance of systems and controls in an effort to enhance the operational resilience of financial institutions, but this has inadvertently led to a divergence in firms’ approaches to mitigating ICT risk across the single market. Meanwhile, a backdrop of rising cyber-attacks has created mounting pressures on the performance and stability of the EU’s financial system.
This blog explores the key elements of EU DORA compliance that firms must consider when developing their cyber strategy and what the ramifications are for failing to comply.
An introduction to DORA
The European Commission first proposed DORA in 2020 as part of its broader Digital Finance Package with the expected implementation date falling at the beginning of 2023. The new rules demonstrate the EU’s proactive stance toward reducing cyber risk in the financial sector by introducing a broad range of requirements focused on ICT risk management, incident reporting, resilience testing and third-party outsourcing.
DORA aims to enhance firms’ cybersecurity functions by standardising the existing, somewhat patchy, incident reporting processes. The scope of application is broad, covering all financial actors within the banking, insurance, capital markets and investment management sectors.
What is included in DORA?
The Act is built upon five core pillars that address various aspects across ICT and cyber security and will provide a comprehensive digital resiliency framework for firms to adopt. Each pillar carries unique rules prescribing how institutions should manage their approach to cybersecurity, with the aim of strengthening firms’ cybersecurity resilience and their response to cyberthreats.
- ICT risk management – DORA will require firms to introduce a strong risk-based approach to their digital resilience efforts. Firms must introduce specific measures and controls to reduce the impact of cybersecurity threats and ensure processes are in place to detect anomalous activity across all their ICT systems.
- ICT incident reporting – At DORA’s core lies the intended harmonisation of ICT incident reporting. This will enable supervisors to react faster to the impact of cyber-related threats, whilst bolstering firms’ understanding of the evolving threat landscape. Under this pillar, institutions must establish and implement a management process to monitor and log ICT-related incidents. Reporting of incidents to the relevant authorities will be done via a common template.
- Digital operational resilience testing – Firms will be required to implement a comprehensive testing program, including a range of assessments and practices with a specific focus on technical testing. Regulatory-mandated exercises such as the threat intelligence-based ethical red-teaming (TIBER) which replicates the actions of real-world threats to assess the resilience of firms’ cyber defenses must be performed. Threat Led Penetration Testing (TLTP) is also required to address higher levels of risk exposure by the end of 2024.
- ICT third-party risk – To mitigate risks associated with third-party outsourcing, financial institutions must have controls in place to monitor the ICT risk of all third parties, as well as the institutions’ digital dependencies and data sharing relationships with these vendors.
- Information sharing – DORA strongly encourages institutions to “share cyber-threat intelligence and information within a community”. This aims to raise awareness of cyber threats and support the broader financial market’s defensive capabilities by informing detection techniques, mitigation strategies and response approaches to cyber threats.
Similar operational resilience mandates have also been published across the broader European Economic Area, driving a step change in how institutions consider resilience through the lens of customers, markets and internal operations.
In the UK, The Bank of England (BoE), Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) published their final policy and supervisory statements on operational resilience on 29 March 2021. To be “resilient”, firms are expected to prevent disruption to the extent practicable, adapt systems and processes to ensure business continuity in the event of an incident; return to normal running promptly when a disruption ends, and learn and evolve from both incidents and near misses.
More broadly, the Basel Committee on Banking Supervision (BCBS) has published high level principles for operational resilience targeted at banks worldwide. The principles aim to strengthen banks’ ability to withstand operational risk-related events that could cause significant operational failures or wide-scale disruptions in financial markets, such as pandemics, cyber incidents, technology failures or natural disasters.
The importance of compliance
The most recent DORA proposal gives EU member states discretion over how they penalise data and compliance breaches. Member states are expected to publish national legal frameworks off the back of the final rule implementation to ensure that competent authorities can enforce their penalties for non-compliance. These may take a variety of forms, ranging from pecuniary punishments (of which the value is yet to be determined) which are likely to vary between countries, to remedial measures such as the temporary or permanent cessation of certain operations.
The European Commission does, however, encourage competent authorities to consider proportionality in their issuance of punishments, requiring member states to consider a range of factors in the decision-making process such as the gravity and duration of breaches, the degree of responsibility of the legal person and losses incurred by third parties.
Aside from the more immediate effects of regulatory enforcement, operational disruptions can have catastrophic and long-lasting consequences for those involved. Data breaches, cyber-attacks and system downtime can severely damage business continuity, impacting employee morale, customer satisfaction, internal productivity and brand reputation. From a monetary perspective alone, it is estimated that the average cost of IT downtime to a business is $5,600 per minute. Extrapolate this figure to an entire day and such disruptions quickly become a significant financial risk. Operational resilience is therefore critical, not just at firm level, but at a national and international level as a means of promoting sustainable operations and broader financial stability.
Technology to the rescue
Software, such as that offered by SAI360, supports a risk management culture that offers a better service delivery model, reducing structuring costs while promoting organisational transparency by highlighting internal and third-party risks. Through aggregating the tactical aspects of operational risk management across the entire organisation, such software can enable institutions to achieve a higher quality of oversight and support proactive and innovative approaches to risk management.
SAI360’s operational risk software supports more efficient and effective risk quantification by aggregating internal and third-party data into a central repository. This enables users to achieve a 360-degree view of risk across the entire enterprise and its third parties in real time. The addition of dashboards and visualisation software also enables firms to proactively and accurately identify, monitor and respond to emerging risks to ensure that they are compliant across all facets of DORA.