What you need to know if you are a financial services institution using IT services
In this third article of our series on the EU's Digital Operational Resilience Act
(DORA), we look at the requirements imposed on
financial services institutions when procuring ICT services from
third parties. This article is written from the perspective of the
financial services institutions themselves. However, it will be
followed by an article exploring what IT service providers should
be doing to ensure that they are prepared for the regulation.
This article forms part of a series of articles we are publishing
with our thoughts on each of the key topics covered by DORA. For an
introduction to DORA, an overview of who is covered, and how the
legislation interacts with other key cyber security laws, please
see our article 'Dora is coming'. For an overview of the
rules on incident management, classification and reporting, please
see our article 'ICT incident management'.
Introduction
The management of ICT third party risk is a topic that has been the
subject of a great deal of regulatory scrutiny in recent years in
the context of broader operational resilience initiatives, in both
the European Union and the United Kingdom. Regulations such as the
EU's NIS Directive and NIS 2 Directive and the UK Network and Information Systems Regulations
have shone the spotlight on the importance of containing ICT risk
in upholding the stability of the economy at large. For more
information on those pieces of legislation, please see our previous
articles NIS Directive and NIS 2 Directive.
There is a clear consensus forming amongst regulators that
resilience can only be achieved where every link in the supply
chain is brought up to a minimum standard of cyber security. Where
industry sectors are increasingly reliant on IT services for
conduct of their day-to-day operations, it is no surprise that the
spotlight is being shone on IT service providers.
In very few sectors is this as relevant as in financial services.
As Recital 2 of DORA makes clear: "The use of ICT has in
the past decades gained a pivotal role in the provision of
financial services, to the point where it has now acquired a
critical importance in the operation of typical daily functions of
all financial entities."
What do we mean by ICT third party risk?
Given the remit of DORA is to improve operational resilience at
every level of the financial services sector, it is no surprise
that the regulation casts the net widely when defining ICT
third-party risk.
Article 3(18) defines the concept as "an ICT risk that may
arise for a financial entity in relation to its use of ICT services
provided by ICT third-party service providers or by subcontractors
of the latter, including through outsourcing
arrangements".
An 'ICT risk', per Article 3(5), is "any
reasonably identifiable circumstance in relation to the use of
network and information systems which, if materialised, may
compromise the security of the network and information systems, of
any technology dependent tool or process, of operations and
processes, or of the provision of services by producing adverse
effects in the digital or physical environment".
Meanwhile, 'ICT services' per Article 3(21) are any
"digital and data services provided through ICT systems to
one or more internal or external users on an ongoing basis,
including hardware as a service and hardware services which
includes the provision of technical support via software or
firmware updates by the hardware provider, excluding traditional
analogue telephone services", and 'ICT third-party
service providers' are simply any "undertaking
providing ICT services".
As Recitals 35 and 63 to DORA make clear, these are intentionally
broad definitions designed to keep pace with technological
developments. The key takeaway for firms is this: if any aspect of
your operations is outsourced to a third-party IT provider, it is
highly likely that you will need to comply with these
provisions.
Interestingly, the regulation extends the definition of ICT
third-party service providers to intra-group providers of services.
As Recital 63 of DORA states: "undertakings which are part
of a financial group and provide ICT services predominantly to
their parent undertaking, or to subsidiaries or branches of their
parent undertaking, as well as financial entities providing ICT
services to other financial entities, should also be considered as
ICT third-party service providers under this
Regulation."
In the payment services space specifically, Recital 63 provides
that "in light of the evolving payment services market
becoming increasingly dependent on complex technical solutions, and
in view of emerging types of payment services and payment-related
solutions, participants in the payment services ecosystem,
providing payment-processing activities, or operating payment
infrastructures, should also be considered to be ICT third-party
service providers under this Regulation".
Why is this new regulatory regime necessary?
If you are a financial services institution, you may be asking: why
is this necessary? For several years now, financial services
organisations operating in the European Union have been required to
adhere to the principles contained in the European Banking Authority's Guidelines on
Outsourcing Arrangements of 2019 and the
European Securities and Markets Authority's Guidelines on
Outsourcing to Cloud Service Providers of 2021, including where
applicable their national equivalents (for example, the Prudential Regulatory Authority's rules on
outsourcing and third party risk management in the UK). In
response to those principles, many financial services institutions
will have already uplifted their cyber resilience policies and
contractual arrangements with third party providers.
The reason for this renewed regulatory focus at a European level is
to ensure harmonisation of approaches across all Member States, as
well as an acknowledgment that as IT interdependencies become more
complex there is the need for pan-national regulation. As Recital
29 of DORA makes clear: "Even though Union financial
services law contains certain general rules on outsourcing,
monitoring of the contractual dimension is not fully anchored into
Union law. In the absence of clear and bespoke Union standards
applying to the contractual arrangements concluded with ICT
third-party service providers, the external source of ICT risk is
not comprehensively addressed......"
What are the requirements?
Article 28 sets out the "General principles" for
the "sound management of ICT third party risk". Before
diving into the details of the requirements, the Article details
two overarching principles, namely:
- firms that use third party ICT services to run their business operations remain ultimately responsible for compliance with their legal and regulatory responsibilities; and
- firms can have regard to the principle of proportionality in their management of third-party ICT risk (taking into account a range of specified matters – see below for more information on what this means in practice).
Subject always to the above core principles, there are a number
of requirements imposed by Article 28 that firms will need to
review and ensure that they can comply with, which may involve
adjusting existing processes and/or implementing additional
processes. Such requirements include:
ICT third-party risk strategy: Save for
some limited exceptions (primarily, micro-enterprises), firms must
adopt and regularly review a strategy on ICT third-party risk as
part of their broader ICT risk management framework. This must
include a policy on the use of ICT services provided by third-party
providers supporting critical or important functions (i.e. those
"the disruption of which would materially impair the
financial performance of a financial entity, or the soundness or
continuity of its services and activities, or the discontinued,
defective or failed performance of that function would materially
impair the continuing compliance of a financial entity with the
conditions and obligations of its authorisation, or with its other
obligations under applicable financial services law").
Further, the management body of the firm must, on the basis of an
assessment of the overall risk profile of the entity and the scale
and complexity of the business services, regularly review the risks
identified in respect of contracts on the use of ICT services that
support critical or important functions.
Maintenance of register: Firms are
required to maintain and update a register of information in
relation to all contracts with third-party service providers
– which must be "appropriately documented"
and distinguish between those ICT services that support critical or
important functions and those that do not. The register, or
specified sections thereof, must be made available upon request by
a competent authority, along with any information "deemed
necessary to enable the effective supervision" of the
firm.
Reporting: Firms are required to:
- report yearly to competent authorities on the number of new arrangements involving the use of third-party service providers, the categories of third-party service providers, the type of contracts in place and the ICT services and functions being provided; and
- inform the competent authority "in a timely manner" of any planned contractual arrangements involving the use of ICT services supporting critical or important functions (as well as when a function has become critical or important).
Pre-contract due diligence: Prior to entering into a contract for the use of ICT services, firms will be required to consider various matters including:
- identifying and assessing "all relevant
risks" in relation to the contract, including the
possibility that such contract may lead to:
- contracting with a third-party service provider that is not easily substitutable; or
- having in place multiple contractual arrangements in relation to the provision of ICT services supporting critical or important functions with the same third-party service provider or with closely connected third-party service providers;
- weighing up the costs and benefits of alternative solutions, including, where the contractual arrangements include the possibility of subcontracting ICT services supporting a critical or important function to other ICT third-party service providers, weighing up the benefits and risks that may arise in connection with such subcontracting (in particular where the subcontractor is overseas);
- where the contract concerns ICT services supporting critical or important functions, considering the insolvency law provisions that would apply in the event of the ICT third-party service provider's bankruptcy as well as any constraints relating to the urgent recovery of the financial entity's data;
- where a contract on the use of ICT services supporting critical or important functions is concluded with an overseas provider, considering the compliance with EU data protection rules and the effective enforcement of the law in that third country;
- where a contract on the use of ICT services supporting critical or important functions provides for subcontracting, assessing whether and how potentially long or complex chains of subcontracting may impact their ability to fully monitor the contracted functions;
- identifying and assessing any conflicts of interest that the proposed contract may cause; and
- assessing compliance by the ICT third-party service providers with "appropriate information security standards". Where the contract concerns critical or important functions, firms must take due consideration of the use by the third-party service provider of "the most up-to-date and highest quality information security standards".
Access, audit and inspection: In
exercising access, inspection and audit rights over ICT third-party
service providers, financial entities must, on the basis of a
"risk-based approach", pre-determine the
frequency of audits and inspections over third-party service
providers and the areas to be audited. Where the ICT services
entail high technical complexity, firms must ensure that they
verify that the relevant auditors possess appropriate skills and
knowledge to effectively perform the audits and assessments.
Exit strategies: Financial entities must
ensure that the contracts they have in place for the use of ICT
services may be terminated in any of the following
circumstances:
- significant breach by the ICT third-party service provider of applicable laws, regulations or contractual terms;
- circumstances identified throughout the monitoring of ICT third-party risk that are deemed capable of altering the performance of the functions provided through the contractual arrangement, including material changes that affect the arrangement or the situation of the ICT third-party service provider;
- ICT third-party service provider's evidenced weaknesses pertaining to its overall ICT risk management and in particular in the way it ensures the availability, authenticity, integrity and, confidentiality, of data, whether personal or otherwise sensitive data, or non-personal data; and
- where the competent authority can no longer effectively supervise the financial entity as a result of the conditions of, or circumstances related to, the respective contractual arrangement
Where the ICT services support critical or important functions, firms are additionally required to put in place exit strategies. These must:
- take into account risks that may emerge at the level of the third-party service provider, including (amongst others) a failure on their part, a deterioration of the quality of the ICT service provided, any business disruption due to inappropriate or failed provision of ICT services and termination of the contract with the third-party service provider for cause; and
- be comprehensive, documented and, having regard to the principle of proportionality, sufficiently tested and reviewed periodically.
Firms must ensure that they are able to exit contractual
arrangements without (i) disruption to their business activities,
(ii) limiting compliance with regulatory requirements, or (iii)
detriment to the continuity and quality of services provided to
clients.
Firms must identify alternative solutions and develop transition
plans enabling them to remove the relevant ICT services and data
from the third-party service provider and to securely and
integrally transfer them to alternative providers or reincorporate
them in-house. They must also have in place appropriate business
continuity measures in the event of an ICT service failure.
Contractual requirements
Once a financial entity has decided to enter into a contract with
an ICT third-party provider, DORA sets out prescriptive rules
regarding the form the contract is required to take and its
contents.
Article 30(1) provides that the contract must be in writing, and
the full contract must "include the service level
agreements and be documented in one written document which shall be
available to the parties on paper, or in a document with another
downloadable, durable and accessible format".
Irrespective of the criticality or importance of the function
supported by the ICT services, the contract must contain at least
the following elements, set out in Article 30(2):
- a clear and complete description of all functions and ICT services to be provided by the ICT third-party service provider, indicating whether subcontracting of an ICT service supporting a critical or important function, or material parts thereof, is permitted and, when that is the case, the conditions applying to such subcontracting;
- the locations where the contracted or subcontracted functions and ICT services are to be provided and where data is to be processed, including the storage location, and the requirement for the ICT third party service provider to notify the financial entity in advance if it envisages changing such locations;
- provisions on availability, authenticity, integrity and confidentiality in relation to the protection of data, including personal data;
- provisions on ensuring access, recovery and return in an easily accessible format of personal and non-personal data processed by the financial entity in the event of the insolvency, resolution or discontinuation of the business operations of the ICT third-party service provider, or in the event of the termination of the contractual arrangements;
- service level descriptions;
- the obligation of the ICT third-party service provider to provide assistance to the financial entity at no additional cost, or at a cost that is determined ex-ante, when an ICT incident that is related to the ICT service provided to the financial entity occurs;
- the obligation of the ICT third-party service provider to fully cooperate with the competent authorities and the resolution authorities of the financial entity, including persons appointed by them;
- termination rights and related minimum notice periods for the termination of the contractual arrangements, in accordance with the expectations of competent authorities and resolution authorities; and
- the conditions for the participation of ICT third-party service providers in the financial entities' ICT security awareness programmes and digital operational resilience training.
Where the contract relates to ICT services supporting critical or important functions, it must also include:
- full service level descriptions, including updates and revisions to those with precise quantitative and qualitative performance targets within the agreed service levels to allow effective monitoring by the financial entity of ICT services and enable appropriate corrective actions to be taken, without undue delay, when agreed service levels are not met;
- notice periods and reporting obligations of the ICT third-party service provider to the financial entity, including notification of any development that might have a material impact on the ICT third-party service provider's ability to effectively provide the ICT services supporting critical or important functions in line with agreed service levels;
- requirements for the ICT third-party service provider to implement and test business contingency plans and to have in place ICT security measures, tools and policies that provide an appropriate level of security for the provision of services by the financial entity in line with its regulatory framework;
- the obligation of the ICT third-party service provider to participate and fully cooperate in the financial entity's threat-led penetration testing, as referred to in Articles 26 and 27;
- the right to monitor, on an ongoing basis, the ICT third-party
service provider's performance, which entails the following:
- unrestricted rights of access, inspection and audit by the financial entity, or an appointed third party, and by the competent authority, and the right to take copies of relevant documentation on-site if they are critical to the operations of the ICT third-party service provider, the effective exercise of which is not impeded or limited by other contractual arrangements or implementation policies;
- the right to agree on alternative assurance levels if other clients' rights are affected;
- the obligation of the ICT third-party service provider to fully cooperate during the onsite inspections and audits performed by the competent authorities, the Lead Overseer, financial entity or an appointed third party; and
- the obligation to provide details on the scope, procedures to be followed and frequency of such inspections and audits;
- exit strategies, in particular the establishment of a mandatory
adequate transition period:
- during which the ICT third-party service provider will continue providing the respective functions, or ICT services, with a view to reducing the risk of disruption at the financial entity or to ensure its effective resolution and restructuring; and
- allowing the financial entity to migrate to another ICT third-party service provider or change to in-house solutions consistent with the complexity of the service provided.
The proportionality principle
Fortunately for small and medium sized financial entities, as with
many of the requirements under DORA, the strict provisions of the
regulation are tempered somewhat by the underpinning principal of
proportionality.
Proportionality is a theme that is pervasive throughout DORA (and
much other European legislation). Unfortunately, there is no
clear-cut definition of what would be proportionate in a given
context – this will come down to a case by case analysis.
However, in the context of managing third-party ICT risk, Articles
4(2) and 28(1)(b) are clear that the application of the rules shall
be proportionate to the entities' "size and overall
risk profile", and that in determining the steps required
firms should consider the "nature, scale, complexity and
importance of their ICT-related dependencies" and the
"the risks arising from contractual arrangements on the
use of ICT services concluded with ICT third-party service
providers, taking into account the criticality or importance of the
respective service, process or function, and the potential impact
on the continuity and availability of financial services and
activities".
This will require firms to perform a detailed analysis of each of
their ICT vendors to understand how the relevant services support
their operations, and the potential consequences (in particular for
end-customers) if there are service delivery or performance
issues.
Conclusion
There is clearly quite a lot of detail to work through here. As a
preliminary step, firms will need to understand all of the
requirements imposed by DORA, and then do some investigatory work
to understand which of those requirements are currently being met,
and which are not. For many sophisticated financial services
organisations, it may well be that the majority of these
requirements are being met either in whole or in part, given
existing compliance regimes with the EBA / ESMA Guidelines.
Once it is established where the gaps are, firms can then start to
plan how to plug the gaps. In particular, firms will need to
consider how they will document their compliance with the
requirements so as to ensure that, if a regulator comes calling,
they have the necessary records to evidence compliance (for
example, in relation to pre-contract due diligence, the approach
decided upon in relation to the frequency of audits, exit
strategies, etc.).
In terms of updating contractual terms, our strong advice is this:
there's no time like the present. Especially
where contractual arrangements relate to core business operations,
we would expect re-negotiation of terms or putting in place of new
contracts to take quite some time – start that work now,
rather than be at risk of non-compliance when the regulation comes
into force.
For those financial entities who are frequent procurers of IT
services, we would encourage you to think about whether it is worth
developing "standard form" clauses that can be
proactively proposed to suppliers in this space to meet the
requirements of the regulation in a "customer-friendly"
manner (or, where you have standard clauses already, updating
those). We anticipate that much of the disagreement between
financial entities and their supplier will not be over the types of
provisions that need to be included in contracts; rather, the
detail of how those are drafted and who bears the risk (and costs)
of matters which are not prescribed in the legislation.
To help firms comply with the detailed requirements, the European
Supervisory Authorities will be developing draft technical
standards which, amongst other things, will:
- establish standard templates for the register of information which firms are required to maintain regarding their contractual arrangements with ICT third-party service providers;
- specify the detailed content required for the policy firms need to put in place regarding the use of ICT services supporting critical or important functions provided by ICT third-party service providers; and
- specify the matters which a financial entity needs to determine and assess when subcontracting ICT services supporting critical or important functions.
These must be submitted to the European Commission by 17 January 2024. Firms will therefore need to retain a degree of flexibility and agility to enable them to respond to any further detail that emerges from the draft technical standards.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.