In response to rising frequency and severity of cyberattacks on financial institutions, the European Union has drafted new legislation to increase the operational resiliency of financial entities, such as banks, investment firms and insurance companies.
The Digital Operational Resilience Act (DORA), which is expected to be enacted by the end of the year, is part of the European initiative, “A Europe Fit For the Digital Age.” It seeks to harmonize regulations related to information and communication technology cyber risk management, incident reporting, resilience testing and third-party outsourcing.
In short, the DORA aims to create one unified approach across the financial services sector and regulators, and to enhance operational resilience from cyber threats and disruption.
The DORA represents a landmark law that will impose significant operational and regulatory requirements for financial institutions in the EU, including how they manage third-party security. Keep reading to learn more about the legislation, how it will fit into the sector’s existing set of security regulations, and a brief overview of how to prepare for new compliance standards.
DORA’s Relevance Beyond Financial Institutions
The DORA regulations also have the opportunity for the financial sector to become a de facto leader in operational resilience. Since the regulations demand that ICT providers adhere more strictly to risk management, security, and operational resilience, ICT providers that do not primarily serve the financial sector will face increased pressure to adhere to these standards to gain additional clients in the financial sector and to be ahead of the curve when it comes to compliance. This will in turn influence sectors beyond the financial industry, particularly with regards to data protection and privacy.
DORA’s Impact on Global Operations
Organizations with offices in multiple locations manage compliance requirements across multiple regulatory environments. DORA-compliant financial institutions with branches in Europe, the U.S., and Asia, for example, would need to establish operational resilience frameworks that include adherence to different standards of incident reporting, ICT risk management, digital continuity, and third-party risk management.
However, this can be complex as the requirements for reporting a cyberattack may be different depending on the geographic location. There may also be different criteria for the type of incident that mandates reporting. To meet all regulatory requirements across multiple locations, the financial institution above would need to implement a scalable and flexible framework that is cohesive enough to include both OCC standards (Office of the Comptroller of the Currency) in the U.S., DORA requirements in the EU, and any relevant Asian regulations.
DORA vs. Other Regulations
DORA, the GDPR, and the NIS2 Directive are specifically focused on the EU, the Basel Accords are global in reach. However, while DORA focuses on the digital operational resilience of the financial sector, the Basel Accords aims to increase the financial stability of the banking sector. The NIS2 Directive, in comparison, is focused on critical infrastructure (e.g., water, electricity, gas) and digital services (e.g. cloud services, online marketplaces) and the GDPR is applicable to all industries. With the exception of the Basel Accords which focuses on regulatory actions or restrictions on activity in the event of non-compliance, each of the regulations deals with penalties for non-compliance. While integrating these regulations together into a cohesive compliance strategy can be challenging for organizations, it can be achieved with the help of centralized governance and risk management, integrated risk response plans and unified vendor management frameworks, and aligning resilience testing across different regulatory requirements. In addition, automation and technology can help to streamline tasks required for compliance. Together these strategies should help organizations build a risk-based approach to achieving compliance while at the same time maintaining operational efficiency.
DORA’s Key Components: What You Need to Know
The DORA legislation includes several key components. Together, they are designed to position financial entities to withstand, respond to, and recover from the impact of information and communication technology and cyber incidents, so they can continue to deliver critical services while minimizing disruption.
These components provide a robust digital resiliency framework for all applicable financial organizations. They include:
- Addressing ICT risks and strengthening digital resilience
- Streamlining ICT-incident reporting and expanding access to incident-related information
- Exchanging threat intelligence and facilitating the sharing of testing results across borders
- Evaluating and enhancing preventive and resilience measures
- Overseeing, monitoring, and governing ICT third-party providers
DORA and Third-Party Security
ICT third-party security is a critical element of the DORA’s risk management framework. Under the soon-to-be law, banks and other types of financial entities will be required to adopt and routinely review a strategy on third-party risk.
A central component of monitoring and governing ICT third-party providers is maintaining a Register of Information, which provides an up-to-date overview of all contractual arrangements with ICT vendors.
The proposed law also includes steps for procuring new ICT services, requirements for ending them, and specific provisions that must be included in contracts with ICT third-party service providers. Furthermore, it requires financial services firms to perform ICT risk assessments before creating new contracts.
DORA’s Third-Party Risk Management Standards Compliance
The DORA’s ICT risk management requirements align with many guidelines from the EBA’s Third Party Outsourcing Regulations, and from EIOPA on ICT Security and Governance. However, once the DORA is passed into law, financial firms can expect greater regulatory scrutiny than with former guidelines.
Here are three key steps for complying with the soon-to-be law.
Step 1: Map your third-party vendors
The first step to complying with the DORA is vendor asset mapping. This gives you a clear understanding of where your vendors exist within your IT landscape, as well as their connectivities, data pathways, and potential attack vectors.
With Panorays, financial services organizations can identify and map out all of their third-party vendors. To streamline information on each one, you can easily build a “Register of Contracts” on Panorays’ Supplier Business Information page, which will house all of your vendor contracts and documentation. This page also stores vendor data and prepares it for review, action, and reporting.
Step 2: Create a Detailed Risk Assessment of Your Third Parties
The next step is conducting a comprehensive risk assessment of each vendor’s criticality to the company, their business impact and what type of data they have access to. This is key to understanding the risk each vendor poses to your organization — and how to address it.
Panorays helps you prioritize and designate critical third-party service providers by calculating the inherent risk of the business relationship, including how business-critical it is, on our Business Information page. To assess information and communication technology risk and gain a deeper understanding of the supply chain in general, Panorays also identifies and can then assess potential fourth-party technology relationships (or your third parties’ third parties).
Step 3: Build a strategy for dealing with third-party vulnerabilities
The third step is developing an actionable risk containment strategy so you can mitigate vendor risk and remediate the vulnerabilities they pose. This strategy should include a fault-tolerant infrastructure, which allows you to gauge the fault tolerance of both the supplier and your own organization.
Panorays supports vulnerability remediation in many ways. It continuously monitors and evaluates your third-parties, and alerts you about any security changes or breaches. When this occurs, the platform automatically prioritizes vulnerabilities according to the vendor’s business criticality and severity of risk, so you can focus on mitigating the most critical threats. Panorays also makes it possible to request information from third parties and internal stakeholders within the platform, which creates a convenient audit trail.
Prepare for the DORA Today
With the enactment of the DORA on the horizon, financial services providers will be wise to begin laying the groundwork for compliance today. By gaining a clear understanding of what the legislation entails, as well as how to fulfill its requirements, finance organizations will position themselves to increase operational resilience and ensure compliance with yet another regulation.
Learn more about how Panorays can help simplify DORA compliance for your organization.