In response to rising frequency and severity of cyberattacks on financial institutions, the European Union has drafted new legislation to increase the operational resiliency of financial entities, such as banks, investment firms and insurance companies.
The Digital Operational Resilience Act (DORA), which is expected to be enacted by the end of the year, is part of the European initiative, “A Europe Fit For the Digital Age.” It seeks to harmonize regulations related to information and communication technology cyber risk management, incident reporting, resilience testing and third-party outsourcing.
In short, the DORA aims to create one unified approach across the financial services sector and regulators, and to enhance operational resilience from cyber threats and disruption.
The DORA represents a landmark law that will impose significant operational and regulatory requirements for financial institutions in the EU, including how they manage third-party security. Keep reading to learn more about the legislation, how it will fit into the sector’s existing set of security regulations, and a brief overview of how to prepare for new compliance standards.
Breaking Down the DORA’s Key Components
The DORA legislation includes several key components. Together, they are designed to position financial entities to withstand, respond to, and recover from the impact of information and communication technology and cyber incidents, so they can continue to deliver critical services while minimizing disruption.
These components provide a robust digital resiliency framework for all applicable financial organizations. They include:
- Addressing ICT risks and strengthening digital resilience
- Streamlining ICT-incident reporting and expanding access to incident-related information
- Exchanging threat intelligence and facilitating the sharing of testing results across borders
- Evaluating and enhancing preventive and resilience measures
- Overseeing, monitoring, and governing ICT third-party providers
DORA and Third-Party Security
ICT third-party security is a critical element of the DORA’s risk management framework. Under the soon-to-be law, banks and other types of financial entities will be required to adopt and routinely review a strategy on third-party risk.
A central component of monitoring and governing ICT third-party providers is maintaining a Register of Information, which provides an up-to-date overview of all contractual arrangements with ICT vendors.
The proposed law also includes steps for procuring new ICT services, requirements for ending them, and specific provisions that must be included in contracts with ICT third-party service providers. Furthermore, it requires financial services firms to perform ICT risk assessments before creating new contracts.
How to Comply With the DORA’s Third-Party Risk Management Standards
The DORA’s ICT risk management requirements align with many guidelines from the EBA’s Third Party Outsourcing Regulations, and from EIOPA on ICT Security and Governance. However, once the DORA is passed into law, financial firms can expect greater regulatory scrutiny than with former guidelines.
Here are three key steps for complying with the soon-to-be law.
Step 1: Map your third-party vendors
The first step to complying with the DORA is vendor asset mapping. This gives you a clear understanding of where your vendors exist within your IT landscape, as well as their connectivities, data pathways, and potential attack vectors.
With Panorays, financial services organizations can identify and map out all of their third-party vendors. To streamline information on each one, you can easily build a “Register of Contracts” on Panorays’ Supplier Business Information page, which will house all of your vendor contracts and documentation. This page also stores vendor data and prepares it for review, action, and reporting.
Step 2: Create a Detailed Assessment of Your Third Parties
The next step is conducting a comprehensive assessment of each vendor’s criticality to the company, their business impact and what type of data they have access to. This is key to understanding the risk each vendor poses to your organization — and how to address it.
Panorays helps you prioritize and designate critical third-party service providers by calculating the inherent risk of the business relationship, including how business-critical it is, on our Business Information page. To assess information and communication technology risk and gain a deeper understanding of the supply chain in general, Panorays also identifies and can then assess potential fourth-party technology relationships (or your third parties’ third parties).
Step 3: Build a strategy for dealing with third-party vulnerabilities
The third step is developing an actionable risk containment strategy so you can mitigate vendor risk and remediate the vulnerabilities they pose. This strategy should include a fault-tolerant infrastructure, which allows you to gauge the fault tolerance of both the supplier and your own organization.
Panorays supports vulnerability remediation in many ways. It continuously monitors and evaluates your third-parties, and alerts you about any security changes or breaches. When this occurs, the platform automatically prioritizes vulnerabilities according to the vendor’s business criticality and severity of risk, so you can focus on mitigating the most critical threats. Panorays also makes it possible to request information from third parties and internal stakeholders within the platform, which creates a convenient audit trail.
Don’t Delay — Start Preparing for the DORA Now
With the enactment of the DORA on the horizon, financial services providers will be wise to begin laying the groundwork for compliance today. By gaining a clear understanding of what the legislation entails, as well as how to fulfill its requirements, finance organizations will position themselves to increase operational resilience and ensure compliance with yet another regulation.
Want to learn more about how Panorays can help simplify DORA compliance for your organization? Click here.