How PwC managed services can help your DORA resilience journey

ATMs out of service, online banking disrupted, trading systems halted​​, businesses grinding to a halt – our vulnerability to systems outages and cyberattacks, their frequency and their impact are growing all the time. 

DORA raises the stakes for how ICT and cyber risks are managed, ​not just in your operations but across the third parties in your value chain, ​making digital operational resilience as important as financial soundness in your licence to operate as a financial services (FS) organisation. 

Yes, boards will be asking “how can we comply by the January 2025 deadline?” But come January, it will no longer be a case of ticking the compliance boxes​. Rather​, the new year should be a turning point in your resilience transformation journey. The time that regulators will hold your organisation to account is when an incident strikes. Were you aware of the threats? Were you prepared? How effective were your defences? Were you ready to respond, contain the impact and remediate effectively? 

This shift from paper compliance to operational resilience is why a rethink of your risk management activities is so pressing.

Your operational infrastructure and ability to protect it are also becoming increasingly stretched as critical systems and sensitive data are spread across multiple third parties. Businesses are not always clear about who holds their data and where. They may even find that they still have exposures in legacy systems they thought they’d decommissioned, but are still running in the background. 

One of the first questions boards are going to ask if market-wide systems come under attack is “are we affected?” and “how quickly can we close the breach?” Given how much is at stake reputationally as well as financially, “not sure” isn’t a good enough answer.

​​​​Further questions centre on whether your organisation has sufficient resources to manage cyber risks and sustain operational resilience. ​​​​​​It's​ often the small in-house cyber teams who are expected to monitor and manage all these risks. DORA could make today’s already mounting strains unsustainable.

​​​For a start, DORA demands the ​​technology and automated processes needed to sustain a stronger level of detection, protection and response capabilities​. ​Systems will struggle to cope, calling for significant investment in technology and the people to manage them, not just in the implementation phase but as part of business-as-usual. Do you have the resources in-house to design and deliver? ​​This will require significant investments in technology evolution, people and capabilities to manage technologies - not just in the project phase but in particular when processes and tools will be running.​ ​

​​​​The systems demands of DORA are compounded by the operational challenges of monitoring, safeguarding and, where necessary, intervening in what is likely to be an extensive third-party digital ecosystem – subcontractors as well as direct outsourcing arrangements.​​​

​​​​The risk-based solutions needed to meet these demands need both strategic design and the ability to execute at speed and scale.

But if DORA is putting impossible pressures on existing defences, it could also be a catalyst for a more proactive, resilient and continually adaptable approach to cyber and wider operational risk management. 

At PwC, a key part of our value is helping FS organisations ​to design effective cyber defences​ and work out how to manage the constantly evolving cyber threats they face. ​What comes through loud and clear from this work is the glaring ​​​gulf between strategy and execution, especially within smaller and mid-size FS organisations that often lack the cyber-focused resources of larger counterparts.

​​​​We ​​​believe that PwC’s established cyber managed service offering can help bridge this capability gap​​.​​ ​​​Indeed​​, for many ​​FS organisations​​, a managed service solution could be the most effective way to meet the demands of DORA and build them into a sustainable business-as-usual.​​​

​​​PwC has hundreds of skilled managed cyber services professionals within EMEA and even more globally within the network .​​ Working closely with clients, we don’t just advise on the steps they need to take to protect their businesses, we also help them develop the safeguards, run cyber security operations and harness these capabilities to accelerate business transformation as part of a durable model of digitally enabled cyber managed services.​​

Our solutions cut​​​ across the pillars of DORA – ICT risk management (integrating resilience enabled by ICT and Cyber operations), incident reporting, digital operational resilience testing and third-party risk management. However, PwC’s managed service can be geared to delivering real defence rather than just reactive compliance. 

The first key question you’d want to address is, “what are the risks?” PwC’s security centres are continually scanning the threats in real-time and analysing the shifting patterns and trends. We can then supply the threat intelligence to your business so you can proactively respond and safeguard your operations. 

The other big question is, “where are our weaknesses?” Desk-based mapping is both too slow and labour-intensive to be of real use​ now, and even more so once DORA is in force ​. That’s why access to the latest ​protection, detection and incident response ​technology is so critical. By harnessing a new generation of AI tools, we can help you map key functions, data holdings and potential risks across your in-house and third-party ecosystem – again in real-time. This not only allows us to address vulnerabilities, but also identify and respond to incidents quickly to contain the business impact before it escalates and provide credible answers to board and regulator questions about the impact. 

And because we run these services for multiple clients, when we detect threatening activity in one, we can move quickly to identify comparable vulnerabilities and protect against the threat in other businesses.

Just as important as technology is talent. Cyber specialists are in short supply across all industries including FS. There is a lot of mobility and resulting vacancies, especially in small teams where prized professionals can quickly reach a ceiling in their careers. In contrast, cyber security is our business. PwC’s team of professionally qualified cyber, financial services advisors and delivery specialists seamlessly integrate to form part of your team, running risk management from inside your organisation. As we have operational centres located within Europe, we can also facilitate compliance with EU data protection, data sovereignty and cross-border transfer regulations.

We also know that when you come to us, you need solutions fast. Recent examples include a client that, having just been hacked, realised that their security measures were no longer fit-for-purpose. We were able to agree commercial terms and put in place 24/7 managed service cyber protection in a matter of days. Our ability to take the strain and speed up turnaround time can also be seen in areas such as contract renewal for DORA. In a recent example, we used Artificial Intelligence tools to identify and update relevant clauses such as right of audit across a network of more than 100 third-party suppliers and multiple contracts. 

Cutting across this human-led, tech-powered approach is trust. In an uncertain threat environment, clients know that we’ve seen what works, what doesn’t and how to use this experience to shore up defences and instil resilience. In turn, we understand how important trust in data, trust in systems, trust in the ability to manage potential risks are to you and your customers. As an FS organisation, your ability to drive innovation and realise the potential depends on trust.

DORA might be a catalyst that triggers wider cyber, risk and legal compliance considerations – we will provide further insights in the next edition in this series. In the meantime, please get in touch to find out more about how PwC’s cyber managed services can help you comply with DORA.

_{© 2024 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details. This content is for general information purposes only and should not be used as a substitute for consultation with professional advisors.}