DORA: Strengthening operational resilience in the digital age
Key Takeaways
- Go-live of DORA will have widespread impact across derivatives
- DORA replaces piecemeal approach with EU-wide framework
- Firms must partner with vendors that offer multiple services
The clock is ticking with only a little over a month to go before the European Union’s Digital Operational Resilience Act (DORA) goes live on 17 January 2025.
The impact will reverberate across the entire financial services universe, but those trading derivatives will have to pay special attention to trading platforms, clearing houses, brokers, as well as software providers.
DORA was first mooted on 24 September 2020, as part of the European Commission’s Digital Finance Package (DFP), which contained a digital finance strategy, legislative proposals on crypto assets, blockchain technology, and digital operational resilience. The aim is to bolster the security of the bloc’s financial service firms by imposing resilience requirements and regulating the supply chain.
Overall, the regulatory net covers 22,000 enterprises such as cloud platforms, data analytics and audit services, as well as the Information and Communication Technology (ICT) infrastructure companies inside or outside the EU offering information and communications technology services.
DORA: A plan to bolster operational resilience
Cybersecurity has been a well-documented threat in the financial services sector. Covid19 is often cited as a catalyst ushering in a new era of digitalization as firms adjusted to the work-from-home environment.
However, despite the many efficiencies generated, they also exposed organizations to operational disruption and breaches. Last year, the number of ransomware attacks soared by 64%, which was nearly double the 2021 level, according to Sophos, a cyber security company.
As a result, the Commission devised a new game plan. There had been other attempts, such as the European Bank Authority 2019 Guidelines on ICT and security risk management as well as proposals on outsourcing arrangements.
DORA scraps this piecemeal approach and introduces a single, consistent supervisory structure across a wider range of financial market participants, including investment firms, insurance companies, crypto-asset service providers, exchanges, clearing houses, alternative fund managers, pension funds and credit rating agencies. The regulation also has greater depth, spanning 64 articles and 500+ subsections.
The Act is based on five pillars:
- ICT risk management
- ICT related incident reporting
- Digital operational resilience testing
- ICT third party risk management
- Information and intelligence sharing
In addition, it includes a union-wide oversight framework on critical ICT third-party providers, which is a first. Designated by the European Supervisory Authorities, it allows the European Supervisory Authority (ESA) to request information from, investigate and assess a provider’s physical security, risk management processes and governance arrangements. The authorities are also mandated to issue recommendations and penalties – up to 1% of annual worldwide turnover.
Uneven preparations across the market
Given the sheer breadth of DORA, it is no surprise that many market participants feel unprepared. As a report by Acuiti issued late last November – Third-Party Risk Management in the Time of DORA – notes, it is the most significant new regulation that firms are facing, but they have a long way to go in terms of getting their internal processes in place despite the deadline moving closer.
It found that sell-side firms were farther ahead on the implementation journey, with the majority planning to make major changes in how they manage third-party risks. By contrast, their buy-side counterparts, as well as proprietary trading firms, were lagging behind, and awareness of the steps needed was “concerningly low” despite the deadline moving closer by the day, it added.
This prompted trade groups such as the Association for Financial Markets in Europe (AFME) to ask for more time. It issued a statement earlier in the year that said the pace and scale of the challenge associated with implementation should not be underestimated and urged EU authorities to engage with industry on how firms should be rationalizing these requirements.
One of the biggest challenges is the way financial institutions have evolved. They are encumbered by multi-layered digital ecosystems with various vendors and systems as well as a myriad of inhouse legacy platforms.
Untangling these is not easy and requires significant coordination and integration to get these systems ready for the new regulations. Firms also need the operational resources to analyze cyber threats, assess vendor relationships and fulfil the reporting requirements, according to the Acuiti report.
Taking the required steps
As a result, there is a long preparation checklist, starting with educating and gaining senior management buy-in for the funding required to comply with the new requirements. The next step is to conduct a full appraisal of the digital infrastructure to identify the cracks and to ensure that the internal governance is up to scratch in terms of managing ICT risk and identifying the biggest threats. Hand in hand with this is the establishment of relevant procedures and processes for consistent monitoring, handling, and reporting of ICT-related incidents. They all must be tagged and addressed to prevent any reoccurrence.
Firms can also not afford to take a passive approach. They need to be much more dynamic and undertake regular potential disruption simulations, such as cyberattacks and technology failures to analyze response times and pinpoint areas for improvement. Testing must form an integral part of the DORA ICT risk-management framework, which itself should be reviewed on a yearly basis and must be submitted to the competent authority upon request.
Time is of the essence and firms should be way past the starting gate in building a DORA foundation. For many firms with multiple vendors this is going to be a significant overhead in trying to govern and gain transparency to vendor compliance. This is going to more than likely cause financial services firms to evaluate vendors who have the scale to provide multiple services from trading, post-trade, compliance and risk management services with the scale to meet these rigorous new requirements versus using a multitude of niche players. Time will tell how firms meet the new regulatory requirements, but the smart firms will be clear about their strategy to minimize cost and to focus on the effectiveness and efficiency of their actions.
Don't miss out
Subscribe to our blog to stay up to date on industry trends and technology innovations.