On 24 September 2020, the European Commission published the first draft of the Digital Operational Resilience Act (DORA) as part of the Digital Finance Package (DFP). This package involves a digital finance strategy, legislative proposals on crypto assets, blockchain technology, and digital operational resilience, as well as a renewed retail payment strategy.
Once the Act is finalised and implemented towards the end of 2022, it will then be passed into law by each EU member state. The relevant European Supervisory Authorities (ESAs), such as the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA), will then develop technical standards for all financial services institutions to abide by, from banking to insurance to asset management. The respective national competent authorities, such as the Malta Financial Services Authority (MFSA), will take the role of compliance oversight and enforce the regulation as necessary.
It is a known fact that the financial sector has increasingly become heavily dependent on ICT and information in a digital form. The COVID-19 crisis also acted as a catalyst, as financial institutions now rely even more on the availability of digital systems to conduct day-to-day operations in a remote fashion. However, this dependency has increased technological and cyber risk exponentially and the last couple of years has shown how much digital resiliency cannot be underestimated.
The EU’s aim with DORA is that of strengthening the financial sector’s resilience to ICT-related incidents and introduces very specific and prescriptive requirements that are homogenous across EU member states. Critical ICT third-parties which provide ICT-related services to financial institutions, such as cloud platforms, data analytics and audit services, are also subject to this new regulation. Organisations need to be able to withstand, respond and recover from the impact of ICT incidents, thereby continuing to deliver critical and important functions and minimising disruption for customers and for the financial system. This is only achievable by establishing robust measures and controls on systems, tools and third parties, by having the right operational continuity plans in place, while testing their effectiveness on a continuous basis.
This act provides a very specific set of criteria, templates and instructions that will shape how financial organisations manage ICT and cyber risks. It demonstrates that EU regulators want to be very hands-on on the topic, with a considerable emphasis on reporting, communication, and assessments that need to take place on a frequent basis, enabled by standardised formats. As such, a single consistent supervisory approach will be adopted across the relevant sectors.
The essence of DORA is divided across 5 core pillars that address various aspects or domains within ICT and cyber security, providing a comprehensive digital resiliency framework for the relevant entities. A summary of the key requirements or aspects are provided below:
The proposal establishes a set of requirements on the ICT risk management framework, including:
Set-up and maintain resilient ICT systems and tools that minimize the impact of ICT risk.
All sources of ICT risks should be continuously identified in order to set-up protection and prevention measures.
A prompt detection of anomalous activities should be established.
Dedicated and comprehensive business continuity policies and disaster and recovery plans should be in place, ensuring a prompt recovery after an ICT-related incident.
Establish mechanisms to learn and evolve both from external events as well as the entity’s own ICT incidents.
Establish and implement a management process to monitor and log ICT-related incidents.
Classify the incident according to the criteria detailed in the regulation and further developed by the ESAs including EBA, EIOPA and ESMA.
Ensuring the reporting of incidents to the relevant authorities using a common template and a harmonised procedure as established by the respective supervisory authority.
Submit initial, intermediate and final reports on ICT-related incidents to the firm’s users and clients.
Elements within the ICT risk management framework should be periodically tested for preparedness.
Any weaknesses, deficiencies or gaps must be identified and promptly eliminated or mitigated with the implementation of counteractive measures.
Digital operational resilience testing requirements must be proportionate to the entities’ size, business and risk profiles.
Conduct Threat Led Penetration Testing (TLTP), also known as a Red / Purple Team Assessment, to address higher levels of risk exposure.
Ensure sound monitoring of risks emanating from the reliance on ICT third-party providers.
Harmonising key elements of the service and relationship with ICT third-party providers to enable a ‘complete’ monitoring.
Ensure that the contracts with the ICT third-party providers contain all the necessary monitoring and accessibility details such as a full service level description, indication of locations where data is being processed, etc.
Promote convergence on supervisory approaches on the ICT third-party risks by subjecting the service providers to a Union Oversight Framework.
The guidelines encourage collaboration among trusted communities of other financial entities. This collaboration will:
enhance the digital operational resilience of financial entities
raise awareness on ICT risks
minimise ICT threats’ ability to spread
support entities’ defensive and detection techniques, mitigation strategies or response and recovery stages.
Financial entities are encouraged to exchange amongst themselves cyber threat information and intelligence through arrangements that protect the potentially sensitive nature of the information shared.
*Articles 23 and 24 refer to the requirements of full-scale Threat Led Penetration Testing (TLTP).
Once DORA is passed into law, financial institutions have one year to reach a compliant status with the regulation’s requirements in a way that is proportionate to their size and business profile, as well as compliant with the relevant technical standards developed by the ESAs. Entities that are identified as being exposed to higher degrees of cyber risk will have an additional 36 months from the entry date to prepare and conduct advanced penetration tests such as a red or purple team assessment.
While DORA will bring about new and more defined requirements than ever before, the expectations of mature ICT and security risk management practices within the financial sector has been a constant theme pushed down by both the relevant ESAs as well as the MFSA locally. Guidelines such as the EBA Guidelines on ICT and security risk management and Guidelines on outsourcing arrangements have been around since 2019, with the MFSA releasing its own interpretation as Guidance on Technology Arrangements, ICT and Security Risk Management, and Outsourcing Arrangements in December 2020. Therefore, now is the perfect time to leverage such guidelines as a benchmarking tool to better prepare for what 2022 will bring about. By conducting comprehensive gap assessments and identifying areas that require further investment and maturity, your business will be in a better position to address more complex requirements such as supply risk management, threat intelligence, and advanced security testing.
While we view DORA as being a milestone in the right direction and inevitable in light of the evolving cyber threat landscape, we appreciate the uncertainty that such a regulation can bring upon organisations. With this in mind, our local team of ICT and Cyber Security experts have been closely monitoring and familiarising themselves with DORA in order to be well-positioned for providing sound advice on this topic as well as assist you throughout this long-term journey.
Advisory Director, Head of Risk Assurance, PwC Channel Islands
Tel: +44 7797 900015