DORA Regulation: How it will affect third-party management?

Grand “Answer”:

The Digital Operational Resilience Act (DORA) proposes new incident response and third-party risk requirements for financial firms. [1] These requirements aim to mitigate the risks that may arise from the use of third-party technology providers. [2] One of the key points of DORA is that financial firms will be required to establish adequate risk management procedures, including due diligence on third-party providers and monitoring of their activities. [3] Additionally, firms will be expected to conduct regular assessments of their own operational resilience and have plans in place to address any risks that may impact the continuity of their services. [4] Overall, DORA seeks to enhance the resilience of the financial sector by improving the management of operational risks, particularly those related to third-party providers. [1][2]

Source

[1]

EU’s DORA regulation explained: New risk management requirements for financial firms

The proposed Digital Operational Resilience Act includes new incident response and third-party risk requirements for financial firms operating within the EU. Passage is expected, so plan now.

CSO OnlineDan Swinhoe

[2]

DORA Third-Party Risk Management Compliance | Prevalent

The EU Digital Operational Resilience Act (DORA) sets uniform requirements for the security of network and information systems of companies and organizations operating in the financial sector such as banks, insurance companies and investment firms.

Prevalent

[3]

EUR-Lex - 52020PC0595 - EN - EUR-Lex

Back to EUR-Lex homepage

[4]

The EU’s DORA has been agreed: implications for the financial services sector

The DORA establishes binding rules for ICT risk management, incident reporting, resilience testing and third-party risk management (TPRM); and it will require firms to adopt a broader business view of resilience, with accountability clearly established at the senior management level.

Deloitte SuomiKarthi Pillay

Dora Regulation: Enhancing ICT Risk Management

The Digital Operational Resilience Act (DORA) marks a significant milestone in the financial industry's approach to information and communication technology (ICT) risk management. DORA aims to establish a unified and comprehensive framework for addressing ICT risks across the entire financial sector, encompassing institutions of all sizes and types, including banks, investment funds, insurance companies, and cryptocurrency services. By replacing the existing complex regulatory landscape with a unified legislative act, the new act seeks to streamline and simplify the regulatory environment, reducing the burden on financial entities currently subject to multiple regulations such as CRD IV, PSD2, Solvency II, EMIR, and MIFID, each governed by distinct regulatory bodies.

Central to DORA is the recognition of the heightened dependence of the financial sector on IT firms and the potential risks arising from third-party relationships. To mitigate these risks, the regulation expands the oversight to critical ICT third-party service providers, subjecting them to EU-level supervision. The Act emphasizes the accountability of the management body within financial entities for ICT risk management, charging them with "full and ultimate accountability" for approving the digital operational resilience strategy and establishing rules for utilizing ICT Third-Party Providers (TPPs). Furthermore, DORA empowers competent authorities to impose administrative penalties and remedial measures on management body members in the event of any violations.


Article 28 outlines guidelines for financial entities to effectively manage the risk associated with third-party ICT services. These guidelines emphasize the importance of establishing contractual agreements that fully comply with the relevant financial services laws, including the provisions stated in DORA itself. The management of ICT third-party risk should be conducted in a manner that is proportional to the specific characteristics of the ICT dependencies, such as their nature, scale, complexity, and significance, along with the risks identified in the contractual agreements.

One of the key requirements introduced by Article 28 is the development and maintenance of specific risk management documents. Financial entities are obligated to formulate and regularly update their ICT third-party risk strategies. These strategies should encompass policies related to the use of ICT services that support Critical or Important Functions Arrangements (CIFAs) provided by third-party service providers.

To facilitate effective oversight and monitoring, financial entities are also mandated by Article 28(3) to establish an information register. This register serves as a comprehensive record of all contractual agreements pertaining to the use of ICT services from third-party providers. Notably, the register should clearly indicate which agreements are relevant to CIFAs and which are not. This allows the competent authority to review the register and ensures transparency and accountability in managing ICT third-party risk. Additionally, financial entities are required to provide annual reports to the competent authority, which include information such as the number of new ICT service agreements, provider categories, arrangement types, and details about the services and functions provided. Moreover, any planned contractual agreements related to CIFAs and significant changes in the status of a function becoming a CIFA must be promptly notified to the competent authority.

Drawing upon existing outsourcing guidance from organizations such as the CBI, EBA, EIOPA, and EMSA, DORA's provisions for contractual clauses exhibit similarities. These provisions emphasize the importance of having written contracts for all relevant agreements and introduce mandatory clauses based on whether the contract involves a CIFA.

The mandatory provisions applicable to both CIFAs and non-CIFAs cover various aspects, including clear descriptions of the services provided, the locations involved, data protection measures, data access during resolution events, service level descriptions, assistance during ICT incidents, cooperation with competent authorities, conditions for digital operational resilience training, termination rights, and assistance during service distribution.

In the case of contracts involving CIFAs, additional mandatory provisions are prescribed under Article 30(3). These provisions are specifically tailored to CIFAs and encompass detailed service level descriptions that include quantitative and qualitative performance targets, notice periods and reporting duties in relation to materially impactful developments, exit strategies, participation in threat-led penetration testing, unrestricted access, inspection, and audit rights, performance monitoring, as well as the implementation and testing of business contingency plans.

In line with DORA's objectives, financial entities are required to adopt a proactive approach to ICT risk management. The Act stipulates that organizations must set risk tolerances for ICT disruptions, supported by key performance indicators (KPIs) and risk metrics. Furthermore, financial entities must identify and map their "Critical or Important Functions" (CIFs) along with their associated assets and dependencies. By broadening the focus to critical functions, it challenges financial entities to enhance their operational resilience capabilities and develop a comprehensive understanding of the interconnections between their ICT assets, processes, and systems that underpin the delivery of critical functions. Incorporating CIFs throughout the framework ensures that risk management efforts align with the overall resilience of the financial ecosystem.

DORA Regulation: Incident Reporting Framework

DORA introduces a more comprehensive and streamlined incident reporting framework for financial services firms. While consolidating existing EU incident reporting obligations, the act brings significant enhancements to ensure effective incident preparedness and response. Financial entities are required to enhance their capabilities in collecting, analyzing, escalating, and disseminating information about ICT incidents and threats. This necessitates the development of robust incident reporting processes and systems that facilitate prompt identification, assessment, and management of incidents.

Under DORA, financial entities must provide root-cause analysis reports within one month following a significant ICT incident. This requirement aims to foster a deeper understanding of incidents and their potential impact on the organization and its stakeholders. Through thorough root-cause analyses, financial entities can identify the underlying factors contributing to incidents and implement appropriate remediation measures. This not only addresses the immediate incident but also enables organizations to prevent similar incidents from recurring in the future.

Furthermore, the regulation expands the scope of incident reporting by incorporating "significant cyber threats" into the list of events that firms must classify. Although reporting such threats remains optional, it emphasizes the increasing importance of addressing cybersecurity risks in the financial sector. In the event that clients or counterparties are exposed to significant cyber threats, financial entities have an obligation to promptly notify them and provide relevant information on protective measures. This provision emphasizes the need for transparency and collaboration among financial entities, clients, and counterparties in mitigating cyber risks and ensuring the resilience of the financial ecosystem.

Digital operational resilience testing is another critical aspect introduced, all relevant financial entities, excluding microenterprises, must conduct regular security and resilience tests on their critical ICT systems and applications. The objective is twofold: identifying vulnerabilities and weaknesses within these systems and applications, and ensuring that any identified vulnerabilities are comprehensively addressed. Proactive testing enables financial entities to strengthen their operational resilience and reduce the likelihood of disruptive incidents. This requirement aligns with industry best practices of conducting regular security assessments and penetration testing to identify and remediate vulnerabilities.

In addition to regular testing, DORA imposes advanced Threat-Led Penetration Testing (TLPT) requirements on financial entities deemed of systemic importance and maturity. The specific threshold for systemic importance and maturity will be determined by regulatory standards. These entities are mandated to conduct TLPT every three years, in addition to regular testing. The methodology for TLPT should align with the existing TIBER-EU framework developed by the European Central Bank, providing a standardized approach to advanced testing. This requirement emphasizes continuous improvement and rigorous testing to enhance the cybersecurity posture of financial entities.

In summary, DORA's emphasis on enhancing ICT risk management and incident reporting aims to strengthen the resilience of the financial sector amidst evolving technological challenges. Financial entities must adapt to these changes by reviewing and enhancing their risk management practices, incident response capabilities, and resilience testing frameworks. By embracing these requirements, financial entities can effectively manage ICT risks, respond to incidents with agility, and foster a culture of robust risk management and operational resilience. Ultimately, the Digital Operational Resilience Act sets the stage for a strengthened financial framework that prioritizes risk mitigation, incident preparedness, and secure operations within the financial ecosystem.

Grand Answer: Your AI Partner