Today, the exposure of the financial industry to the threat of cyber-attacks is higher than ever. The problem is exacerbated by the reality of post-pandemic remote working which has transferred many critical operations wholesale to the digital environment.
In response to increased digitization, and rising supply chain cyber vulnerabilities, the European Union is leading efforts to increase security of the financial sector and has adopted a broad cyber security regulation known as the Digital Operational Resilience Act (DORA). DORA purports to increase digital operational resilience of the financial sector across the EU.
The onus is now on financial institutions and tech providers to conduct an analysis/review of potential contract remediation requirements in five key topic areas - ICT Risk Management; ICT-related Incident Management, Classification & Reporting; Digital Operational Resilience Testing; ICT Third Party Risk Management; and Information Sharing Arrangements - which could be equally burdensome for both parties.
This article explores who is affected by the new regulation, and how, as well as how to leverage the experience, capability and scale to deal with the volumes of impacted contracts.
To whom does DORA apply?
DORA will apply to a wide variety of financial organizations, including banks and insurance companies. It will also directly captures providers of information and technology (ICT) services for these organizations, such as cloud platforms or data analytics services. It is important to note that DORA will impact ICT service providers irrespective of their own country of domicile, even when they do not have physical presence within the EU. In certain scenarios, the regulation may force respective providers to consider the establishment of an EU subsidiary.
When does DORA take effect?
DORA entered into force in January 2023 and will apply from January 2025. Financial institutions and their technology providers will therefore only have until then to comply with a broad range of new and strengthened requirements. Ensuring compliance will require substantial effort and preparations in earnest should start now.
Strengthening operational resilience
For financial institutions, the regulation offers two broad benefits. The first is the emergence of a consistent, harmonized, and multi-jurisdictional regulation implemented across all EU member states, levelling the compliance playing field and strengthening regulatory and operational resilience across the EU.
The second, and perhaps more significant, benefit is that DORA aims not just to prevent, but to minimize the impact of cyber threats across the financial services industry.
DORA will provide a regulatory framework that aims to ensure business continuity in the face of any ICT-related threat. With the digital flexibility to withstand, respond to, and recover from disruption of ICT services, financial organizations are less likely to face the threat of a systematic collapse.
Addressing the systemic risk posed by the interconnectedness of financial institutions and tech companies, DORA introduces new standards for security of their network and information systems. It will also establish additional and specific requirements for designated “Critical” third-party providers of ICT services which will be subject to direct oversight of EU authorities.
Managing ICT-related risks
DORA aims to ensure that financial institutions can prevent and respond to ICT threats in a manner which preserves consumer trust and market integrity through the overhaul of existing risk management frameworks. To be compliant with DORA, risk management must be reimagined to include tools necessary for efficient protection of both software and hardware which form part of the financial entity’s network and information systems.
The regulation aims to determine both cybersecurity responsibilities within financial institutions, and the roles of financial regulators themselves. It also identifies the requirements for ICT services supply chain risk management. Significantly, this will mean a potential upgrade to contract terms where any existing terms do not meet the required standards.
At a high level, this triggers a requirement to review a broad range of provisions such as, adequate description of provided services inspection and oversight rights, access, and recovery of data.
More extensive requirements apply to ICT services contracts which support so-called “Critical” or essential functions. Under DORA such contracts must include ongoing monitoring rights and exit strategies which enable safe transition to another provider. These prescriptive requirements should ensure that financial institutions, irrespective of their size, are adequately protected against severe operational disruption affecting their service providers, while maintaining an ability to implement an effective contingency plan.
A new and distinctive component of DORA is the introduction of an EU-wide supervisory regime directly covering critical third-party ICT providers. This solution reflects the intertwined relationship between the EU financial sector and the myriad of technology solutions it has adopted such as cloud computing and data services. DORA attempts to ensure that providers of critical ICT services appropriately manage the risk which they pose to financial entities.
This aim will be achieved through by a variety of measures focused on, among others:
Addressing the compliance gap
There are several actions which must be undertaken now by financial entities to adequately prepare for the implementation of DORA.
By conducting an initial mapping of existing ICT assets, functions and dependencies, an organization should be able to identify any existing risks and threats to its digital resilience. This exercise should be followed by a comprehensive review of its existing contractual arrangements with third-party providers. On this basis, an organisation can determine whether DORA-specific requirements are already addressed in whole or in part. This analysis should form a component part of a broader effort across various functions and teams, such as IT, legal, risk management and compliance. Involving these teams from the outset, obtaining their buy-in and support, and rolling out relevant training initiatives are all going to be key considerations for an organisation to bear in mind in order to develop a comprehensive digital resilience strategy.
Understanding of any potential lacunae and adequately adjusting efforts to implement the agreed upon internal strategy, will present to a financial entity an opportunity to renegotiate its affected agreements with third-party providers. Additionally, organizations will have to consider adjusting their approach to new contractual arrangements, all ensuring compliance with the regulation at the point of execution of those agreements.
Based on the above gap analysis, an organisation will then be well-placed to set out a plan for achieving full compliance during this year.
Some of the key considerations to ensure a successful remediation programme include:
(It should be underlined that although DORA entered into force a year ago, related secondary regulations and standards remain to be finalized. This means that any compliance measures must be flexible enough to be adjusted based on the emerging final regulations).
Market stakeholders have been invited to engage with regulators during a consultation process. Financial entities acting independently or through industry associations can now submit their feedback and that in turn may have a real impact on the final shape of these regulations.
How to start this remediation exercise?
In summary, conducting a gap analysis as well as developing and implementing a DORA strategy will require a significant effort from all affected entities. Financial organizations should reframe this conversation as an opportunity to introduce a consistent and comprehensive approach to digital operational resilience, with the laudable and achievable ambition to mitigate negative financial and reputational impacts of any future ICT-related incidents.
Managing this endeavor efficiently and accurately will require a process not wholly unlike previous regulatory remediation exercises (LIBOR, GDPR). Whilst volumes of impacted contracts will not be in the same region, volumes will be sufficiently high that taking a standardised approach to streamline the review and amendment activities will be highly beneficial.
From LIBOR to Schrems II to Brexit and Initial Margin, Factor has helped clients facing massive and complex regulatory requirements repaper their contracts in a timely fashion and under budget.
We help clients meet regulatory change deadlines by designing and deploying tech-enabled solutions, overseen by expert project managers to handle contract analysis, client counterparty outreach, protocol-driven and bilateral negotiations, and data transfer of remediated documentation.
With hundreds of complex contract review and remediation projects under our belt Factor has narrowly focused its investments (in technology, tools, methodologies) with the aim of being the best in the world in regulatory response and remediation. As such, Factor is well-placed as a trusted partner to guide you through a successful DORA transition.