The European Union (EU) Digital Operational Resilience Act (DORA), like Spring, is in full swing. I’ve had the good fortune in my role at SAI360 to meet with the Swiss Risk Association, speak at a CeFPro (Center for Financial Professionals) event in London, and participate in a DORA lunch briefing with Luxembourg’s Institute of Internal Auditors and consultants from Deloitte.
I gathered questions during my EU operational resilience mandate tour and returned with answers, as well as collected my thoughts on the spirit of DORA and the wider risk lens that adherence requires.
Here are my questions and answers from my tour, along with some carefully considered views.
Q: What is the interplay between DORA and the Swiss Financial Market Supervisory Authority’s (FINMA) Principles for Operational Resilience?
After meeting with regulators, financial institutions, and critical third parties on European operational mandates in Zurich, I believe both DORA and FINMA have similar goals but separate paths.
DORA is ostensibly more prescriptive with its focus on ICT (information and communication technologies) vendors while FINMA recently emphasised measures for securing critical data in a circular.
In my estimation, by also focusing on critical data, financial institutions are less tempted to just cover a certain class of vendors and address risks broadly as a result.
Q: Should cyber resilience measures like the DORA mandate adapt to the threat actor, particularly if they are state actors?
This question came up during my EU DORA talk in London. Adapting ICT security measures according to the threat is a good approach for an agile response. However, DORA establishes a cyber resilience baseline by building on existing guidelines and regulations across Europe.
A state actor is a different level of threat compared to common cybercriminals. Therefore, DORA’s cyber resilience baseline is not a sufficient defence against heavily resourced, distributed and sustained state actor attacks.
Q: How broadly does DORA compliance contribute to third-party cyber resilience?
DORA focuses on ICT risks from ICT vendors. However, ICT risks can emanate from vendors not associated with ICT or deemed to be critical third-party providers.
An example of the expanded threat vector is Account Information Service Providers (AISPs), which are cited in DORA. In reviewing the DORA regulation, I see citations of other third parties that are deemed critical like Payment Service Providers.
So, contrary to the main thrust of the regulation, DORA goes beyond pertaining exclusively to ICT vendors.
“Financial entities shall have a sound comprehensive and well-documented ICT risk management framework as part of their overall risk management system,” as Article 6 (1) makes clear.
This goes beyond the perceived narrow focus on ICT vendors and requires a wider risk lens to manage the “overall” risks from third parties. Therefore, regulatory compliance and integrated risk management must work in tandem for achieving comprehensive cyber resilience.
Q: What does DORA require from the internal audit function?
A lot of what DORA requires from the internal audit function builds on IT risk management best practises and requirements from existing regulations. Here are four action points for the internal audit function shared at the IIA Luxembourg and Deloitte lunch briefing:
- Have a risk-based audit plan
- Ensure adequacy of risk management frameworks
- Implement a comprehensive IT resilience design and approach
- Close engagement and alignment with IT
Q: Can a GRC platform streamline DORA compliance?
GRC platforms like SAI360 are the connecting tissue between disjointed processes, which are common in organisations I speak with.
A GRC (Governance, Risk and Compliance) platform joins up and aggregates GRC data, which eases the workload from DORA compliance. Manual and duplicated efforts associated with dispersed risk frameworks are eliminated.
Ultimately, processes are optimised and automated, whether they are risk and control management, business continuity and/or incident reporting workflows, among other GRC activities.
The Regulatory Spotlight: Final Thoughts
It is EU DORA’s turn in the regulatory spotlight with authorities, financial institutions, and consultants weighing in on the implications of the Act.
Since compliance with EU DORA calls for a comprehensive GRC approach aided by technology, I’ll continue to write and speak on the topic.
Get in touch with SAI360 to keep the conversation about operational resilience going. For more information on how SAI360’s modular GRC solutions can drive efficiency, optimisation, and agility in your workplace, visit https://www.sai360.com/solutions/integrated-grc.
By Chika Okoli, GRC Technology Manager EMEA, SAI360