How the Proposed Digital Operational Resilience Act (DORA) Could Impact Your Organization
In the autumn of 2020, the European Commission (EU) published the proposed Digital Operational Resilience Act (“DORA”) new regulation.
With the rise of blockchain and digital banking, the nature of finance requires some adjustments.
Unfortunately, as supply chain compromises and cyberattacks affecting several organisations; including Target, Tesla, SolarWind, FireEye, and Microsoft Office 365; indicate, all aspects of digital commerce and ever-increasing dependency on Information and Communication Technologies (ICT) pose significant real and present risks, particularly regarding ICT third-party suppliers.
In the Threat Landscape 2020 report; published by the European Union Agency for Cybersecurity (“ENISA”); phishing, identity theft, and ransomware continue to be top cyber threats faced by businesses and organisations in the EU.
With DORA, the EU aims to harmonise and improve risk management and operational resilience within the financial sector across the region by addressing many of the issues that concern leadership, governance, and continued operations through a severe operations disruption as well as establish an oversight framework for managing ICT critical third-party providers (CTPPs).
It is envisaged that the EU parliament, European Council, and the European Systemic Risk Board (ESRB) will engage in several negotiations and debates over DORA with institutions in the coming months, with appropriate laws established very quickly thereafter.
What is Digital Operational Resilience?
Operational resilience is the ability to develop and maintain capabilities, processes, systems, and cultures within an organisation to help ensure the continued provision of services at the expected minimum quality level in the face of operational disruptions.
Operational resilience has always been a key strategic objective in several business sectors including the financial, utility, transport, and ICT service providers. Operational resilience has become an increasingly key subject in countries such as United Kingdom, Australia, United States, and Canada.
Digital operational resilience focuses specifically on the operational disruptions that affect ICT capabilities, services, and processes.
What is DORA?
DORA is the proposed regulation to expand and improve digital banking within the EU system while managing and avoiding the potential risks that are inherent to relying on ICT.
Objectives of the proposed regulation include:
Ensuring that all financial entities have proper risk management protocols in place to track and monitor all ICT functions and asset transfers. This risk management protocol will also feature an assessment of any weak points or vulnerabilities within the system and improve regulatory reporting.
Financial institutions will have a well-structured incident reporting system to report, track and address all ICT related incidents that affect their respective networks.
Institutions will be responsible for constantly testing and assessing the competency and resiliency of their respective ICT system to identify any vulnerabilities.
All third-party activity will be assessed, tracked, and monitored regarding any risk and mitigated by any contractual acknowledgement and agreement relative to network risks and vulnerabilities.
Information exchange between institutions will be monitored and guided relative to minimizing the threats due to cyber-criminal activity.
What is the scope of DORA?
The proposed DORA regulation is expected to cover organisations within the financial sector including retail and commercial banks, electronic money transfer organisations, credit and lending agencies, insurance and reinsurance firms, and investment firms.
Also, it is envisaged that DORA will require that CTPPs, including cloud service providers, managed service providers, data analytics service providers, and audit service providers come under the supervision and oversight of the European Supervisory Authorities (ESA).
Established and confirmed non-compliance with obligations and commitments outlined in DORA regulation will be expected to carry significant penalties.
A [financial institution’s] use of third parties does not diminish the responsibility of its board of directors and senior management to ensure that the activity is performed in a safe and sound manner and in compliance with applicable laws [and regulations, just as if the institution were to perform the activities in-house].
What are the key elements of the proposed DORA regulation?
Much of the concerns relative to DORA are regarding third-party risk management and mitigating infringements against financial institution security measures.
Third-party management is often sought as a more cost-effective measure for monitoring network systems and performing system checks. Unfortunately, when there are abundant vendors, suppliers and other components regularly participating and contributing to an organisation’s ICT capabilities, processes, and functions it is reasonable to expect that monitoring and identifying security breaches can become a costly and complicated process.
DORA provides a much greater incentive and structure for properly monitoring and tracking third-party involvement. Institutions will be encouraged to automate vendor onboarding where possible while tracking all vendor activity to ensure that any disruptive activity is immediately identified and addressed. Such activity will be recorded in business continuity plans, providing regulators and any security providers consistent access to ICT service usage.
DORA will also institute and regulate the various ESA who will be responsible for reporting any major ICT threats to the respective national regulator. The ESA would also be responsible for evaluating whether respective third parties have respective and effective monitoring systems to track and record any malicious network activity.
This system, in addition to instituting early-warning threats for any cyber encroachment activity and regulating which providers are reputable, will allow financial organisations to better monitor their ICT dependencies more closely.
How will the proposed regulation affect financial organisations?
As the proposal passes through the European parliament for review and revision, various organisations are considering the potential impacts and implementation strategies relative to DORA.
Given the interconnectedness of member nations, the EU is playing a critical role in the implementation of risk management measures such as DORA. Given the increasing risk of crypto assets and the advent of digital ledger, having a secure network that provides clear regulatory guidelines for financial institutions and third-party vendors across member nations will help to create a more stable financial ecosystem.
Bank of England (BoE)
Despite having left the European System of Central Banks (ESCB) since the start of Brexit, the Bank of England has been trying to mitigate its security breaches relative to third-party service providers. Creating an integrated financial network that ensures safety for all institutions within and outside of the EU is beneficial for all parties, including the Bank of England.
As financial institutions, lending agencies and all digital vendors become more dependent on ICT for conducting transactions and managing accounts, ensuring a more fluid and streamlined operation that cannot be compromised will facilitate greater compatibility for vendors, suppliers, and users.
Third-Party Risk Management (TPRM)
As already noted, one of the main priorities that DORA seeks to address is the lack of regulatory power over third-party security concerns. Greater regulation will allow more streamlined interaction between financial institutions and third-party vendors and network security suppliers to ensure that the confidentiality, integrity, and availability of dependent ICT capabilities, processes, and functions are constantly maintained, monitored, and assessed.
Are there potential obstacles to DORA implementation?
Yes, it is expected that some organisations would experience some challenges to effectively implementing DORA.
Some of these obstacles would include the organisation’s existing risk culture, inconsistent risk management policies and standards, ineffective risk management framework and practices, poor or non-existent TPRM policies and strategies, and the possible underestimation of efforts and commitments required to achieve operational resilience maturity.
Is DORA the future?
The proposed DORA regulation is considered a vital step in creating a standardised regulatory framework for the digital operational resilience for financial services in the EU.
In a previous article, I had looked at how GDPR would “evolve” and continue to have expected impacts in the UK as it would across the EU region.
Given the significant penalties that would be imposed for non-compliance with DORA directives, it is perhaps reasonable to envisage that DORA could eventually have similar, if not greater, impacts in both the UK and the EU region as did GDPR, albeit with very different objectives.
As the economy shifts to the digital sphere and ICT capabilities and services become more inherent to financial and commercial activities, ensuring operational resilience becomes even more paramount. As the world waits for the outcome and implementation of the directives put forth through DORA, the power of digital finance will wait to be unleashed.