European financial services firms will have less than 24 months to comply with the European Council's Digital Operational Resilience Act ("DORA") once it's formalized later this year. Acting now has major advantages.
If you're an IT manager of a financial services firm in the European Union ("EU"), you no doubt have had your eye on DORA for almost two years now. DORA - the Digital Operational Resilience Act - is expected to go into full effect this fall following a review period that began in September 2020. When the Act arrives, all EU financial services ("FS") firms will have less than 24 months to strengthen their cybersecurity stance to comply with its new regulations.1
Now, if you're on the board of an FS, or are senior management, you may not have been paying that much attention to DORA. And why should you? Isn't DORA essentially an IT issue? Can't your best tech folks handle compliance and testing?
You could go that route. But given the origins and intent of the new law, you may be seriously underestimating the significant challenges to compliance. Moreover, you might be missing a unique opportunity for strategic compliance that can benefit your organization. That's because DORA is not only about strengthening cybersecurity - it's about building operational resilience across the full enterprise.
Ask any IT manager about this last point and you'll likely hear a mantra they've long preached: Cybersecurity and resilience should be integral elements of business implementation.
A Focus on ICT
To grasp this point more fully, let's take a brief look at where DORA came from and its goals. For years, national governing bodies within the EU exercised their own discretion when it came to cybersecurity in financial services. That discretion led to a patchwork of incident reporting processes and directives that contributed to increasing compliance costs for organizations.2
DORA harmonizes rules and regulations, aiming for consistency across the EU to maintain operations through severe operational disruption. Specifically, the EU hopes the new laws will help FS firms better withstand, respond to and recover from the threats to information communication technologies ("ICTs"). Given the business imperatives of maintaining ICT, DORA is intended to add stability and confidence within the financial system.3
DORA will have far-reaching implications. Here, we ask and answer questions related to the new regulatory framework that may be on the minds of boards and senior managers.
Q. Just how different is DORA from the current
regulations my firm is operating under?
A. That depends on the regulations of your
governing body. But the important thing to know about DORA is that
it is much more interventionist than any existing guidelines. And
it's much more prescriptive than anything previously issued. It
bears repeating: The EU is focused on the central role of ICT in
the financial services sector. As such, the flaws and
vulnerabilities in digital infrastructures are not just IT
problems, but firm-wide issues. You'll need to move away from
thinking "cyber compliance" to thinking "cyber
assurance."
Q. Can't we just wait a year or so to get started on
compliance?
A. You can, but getting out ahead of a new law
that is such a heavy lift and features harsh penalties and
consequences for failure to comply is in the best interest of many
firms. Banks and insurance agencies are already mobilizing
enterprise-wide DORA initiatives this year.4 If you wait
and decide to simply tinker around the edges of your core
platforms, it might seem less disruptive, but you'll
layer in a huge amount of additional infrastructure.
Q: We're not a financial services firm, but we
partner with one. Does DORA apply to us?
A. Almost all financial entities will be subject
to DORA. For instance, third parties that provide ICT-related
services to financial services firms, such as cloud platforms and
data analytics services, must be compliant. And the European Council says that
"[c]ritical third-country ICT service providers to financial
entities in the EU will be required to establish a subsidiary
within the EU."5
Q. What's one thing that I might overlook when
implementing DORA?
A. As noted, DORA has numerous requirements across
all aspects of digital operational resilience. Have you considered,
for instance, how you'll handle crisis communications if you
suffer a cyber incident when the law is in effect? It's
mandatory under DORA to report all incidents, and having a plan
ahead of time can mitigate reputational risk.6
Q. There are five key pillars associated with DORA
(see sidebar). Which should I prioritize
first?
A. All five are interrelated and should be
approached jointly. For the sake of space, this article presents
only the "digital operational resilience testing" pillar.
Subsequent articles will cover the remaining four pillars.
Q. Okay, tell me about digital operational resilience
testing.
A. The pillar will require financial organizations
to undergo regular testing by independent parties. Legislators are
still working to clarify the testing methodology and how multiple
entities will recognize the testing results. But under the
provisional agreement, "penetration tests" are based on
existing EU initiatives like TIBER-EU, a framework that "mimics the
tactics, techniques and procedures of real-life attackers, based on
bespoke threat intelligence."7The tests are
tailor-made to simulate an attack on the critical functions of an
entity and its underlying systems.
Q. Now that I know about the testing pillar, what's
the most important thing I should keep in mind when running a
testing program?
A. That it should center on the customer. Given
that DORA is intended to boost stability and confidence in the
financial systems, any digital operational resilience testing
program must deliver against customer expectations.
Editor's Note: This is the first of three articles in which the FTI Journal looks at DORA, the European Council's legislative act that will strengthen regulations regarding information and communication technologies ("ICTs") and cyber resilience in financial services firms. Here, the Journal provides background on the act and one of its five key pillars: Digital Operational Resilience Testing.
- Digital Operational Resilience Testing
- ICT Risk Management
- Incident Reporting
- Information and Intelligence Sharing
- ICT Third-Party Risk Management
* FTI Consulting organizes the requirements of DORA into five key pillars; other sources may organize them differently
Footnotes:
1: FTI Perspectives, "DORA Overview for Permanent TSB (FTI Perspectives," April 2022, p. 3
2: FTI Cybersecurity, "The Digital Operational Resilience Act (DORA): Key questions business leaders should be asking," FTI Consulting, December 29, 2020, https://fticybersecurity.com/2020-12/the-digital-operational-resilience-act-dora-key-questions-business-leaders-should-be-asking/
3: Council of the EU, "Digital finance, provisional agreement reached on DORA," May 11, 2022 https://www.consilium.europa.eu/en/press/press-releases/2022/05/11/digital-finance-provisional-agreement-reached-on-dora/
4: Lafarge, Joanna Grove "What firms can expect from DORA," Global Risk Regulator," February 4, 2021, https://www.globalriskregulator.com/Subjects/Reporting-and-Governance/What-firms-can-expect-from-DORA
5: Council of the EU, "Digital finance, provisional agreement reached on DORA," May 11, 2022 https://www.consilium.europa.eu/en/press/press-releases/2022/05/11/digital-finance-provisional-agreement-reached-on-dora/
6: Moinuddin, Ali, "The Global Drive for Better Financial Sector Operational Resilience," International Banker, June 7, 2022, https://internationalbanker.com/finance/the-global-drive-for-better-financial-sector-operational-resilience/
7: European Central Bank, "What is TIBER-EU," https://www.ecb.europa.eu/paym/cyber-resilience/tiber-eu/html/index.en.html#:~:text=TIBER%2DEU%20is%20the%20European,carrying%20out%20a%20controlled%20cyberattack.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
