From a global banking perspective, the Basel Committee on Banking Supervision (BCBS) issued a Consultative Document on Principles for Operational Resilience in August 2020, which outlined a set of core principles and guidance for banks to follow.
In Europe, also in 2020, the EU announced its own regulatory initiative as part of its digital finance strategy, focusing specifically on digital risk. Entitled the Digital Operational Resilience Act (DORA), the new regulation has now been provisionally agreed by the European Parliament and is due to come into force over the next 18-24 months. The new regulation has significant implications both for financial institutions and their technology partners.
The Digital Operational Resilience Act (DORA)
DORA creates a regulatory framework under which all financial services firms need to prove they can withstand, respond to, and recover from all types of ICT-related disruptions and threats. Importantly, DORA includes the oversight of ‘Critical ICT Third Party Providers’ (CTTPs), such as network providers, cloud platforms, and data analytics services as well as financial services firms. This means that the regulation impacts not only banks and other financial institutions, but also the technology firms that support them.
The technology used or who provides it does not diminish or remove the need to comply with DORA. For example, DORA will apply to a financial services firm regardless of whether they use a hyperscale cloud provider or a small fintech.
Notably, while the Market in Crypto Assets (MiCA) bill has huge visibility at the moment, the linkages to DORA in MiCA should not be overlooked.
The DORA framework revolves around five key pillars:
- ICT risk management
- ICT-related incident classification and reporting
- Digital operational resilience testing
- ICT third-party risk management
- Information and intelligence sharing
ICT risk management
The first pillar requires firms to analyse the business impact of scenarios that can cause severe disruption and to have in place a robust, well-documented ICT risk management framework, with risk tolerance levels clearly defined. DORA places the onus on the firm’s management to not only take full accountability for these risks, but also bear full responsibility for key functions that are outsourced or delivered through Third Party Providers (TPPs).
ICT-related incident classification and reporting
One of DORA’s aims is to streamline, harmonise and centralise the reporting of ICT-related incidents. To achieve this aim, it provides a new classification, notification, and reporting framework requiring firms to collect and analyse data around such incidents and threats. Regulators are also investigating the feasibility of setting up a single EU hub for major ICT-related incident reporting.
Digital operational resilience testing
Under DORA, firms are required to annually undertake a comprehensive programme to test the digital operational resilience of their critical ICT systems and applications, and they need to involve their TPPs in these tests. Any vulnerabilities uncovered during the testing programme must then be fully addressed. Additionally, every three years, firms identified as ‘systemically important’ will need to carry out threat-led penetration testing, again with the direct participation of relevant TPPs.
ICT Third-Party Risk Management (TPRM)
Although ICT third party risk falls under the firm’s ICT risk management framework, technology vendors classed as CTPPs will also come under the direct supervision of the regulators. Under DORA, EU regulators will, for the first time, have the ability to sanction CTTPs if they’re unable to demonstrate the required levels of operational resilience to support their clients’ ICT risk management frameworks.
Information and intelligence sharing
DORA encourages firms – both financial institutions and TPPs - to voluntarily share information and intelligence, particularly around cyberthreats, to strengthen incident prevention and threat response across the financial industry. It’s expected that trusted communities, with well-structured privacy arrangements, will be established to facilitate such information sharing.
How BT Radianz helps
Now that the text of DORA has been agreed and the implementation timeline set for the next 18-24 months, financial institutions and their technology partners need to work more closely together than ever before.
This is where we can help. Our BT Radianz cloud ecosystem brings together a community of thousands of financial institutions - including banks, brokers, trading and investment firms, exchanges, trading venues, and clearing houses – with more than 400 third party technology providers delivering access to thousands of applications and services. Our highly reliable, resilient and secure connectivity, guaranteed levels of service availability, our ability to carry both encrypted and non-encrypted services over a single infrastructure – operational resilience is at the core of what we do. By partnering with us and working with the BT Radianz community, firms place themselves in the strongest position to address all five pillars of DORA in a reliable, secure, and cost-effective way – freeing up their own internal ICT resources.