A provisional agreement has been reached on the Digital Operational Resilience Act (DORA). Responding to this will pose a series of challenges for banks in Europe – and what should they be doing now in order to meet them head on?
On 10 May, the European Council and the European Parliament reached a provisional agreement on the Digital Operational Resilience Act (DORA), bringing the Act one step closer to reality. DORA will cover the whole financial sector including critical third-party providers (CTPPs) such as cloud computing and software vendors. It is part of the European Commission’s Digital Finance Package of September 2020, along with a Digital Finance Strategy, a draft Regulation on Markets in Crypto-Assets (MiCA) and a proposal on distributed ledger technology.
DORA is a milestone in European financial regulation. It will establish a comprehensive, consistent EU framework for regulated financial institutions, ensuring the resilience of Information and Communications Technologies (ICT) against all types of disruption and threats. It supersedes the EU’s current patchwork of ICT-related regulations and other initiatives. Instead of viewing security disciplines in isolation, it aims to create a holistic monitoring and control framework covering ICT risk management, incident reporting, continuity management and outsourcing.
As per the Annual report on the outcome of the 2020 SREP IT risk questionnaire, outsourcing is extensively used in the European banking sector, with 60% of banks with either fully or largely outsourced activities. To add to this, 85% of banks are using any form of cloud computing services, with expenses related to cloud doubling from 3% of total IT outsourcing expenses in 2018 to 6% in 2019. This together indicates that DORA is a very relevant topic for the European banking industry due to its already widespread use of CTPPs and cloud computing.
DORA aims to address risks arising from increasing interconnectivity, digitalisation and reliance on third party services by:
- Streamlining and upgrading existing regulation, introducing new rules where gaps exist
- Improving alignment between business strategies and ICT risk management, strengthening risk control and ensuring firms can identify vulnerabilities and assess their resilience
- Harmonising and streamlining the incident reporting mechanisms, reducing firms’ cost burdens and increasing supervisors’ insights by giving them access to relevant information
- Applying testing requirements proportionately, based on firms’ size, business and risk profile
- Strengthening firms’ oversight and monitoring of third-party ICT operations
- Raising awareness of ICT risk and minimising its spread through information-sharing, allowing firms to exchange intelligence on cyber threats
DORA could pose major potential challenges for financial institutions. First, it will be hard to apply a single framework to entities ranging from large, complex groups to small, simple businesses. Second, it draws software vendors and other service providers into the regulatory perimeter. Third, it is backed up with wide enforcement powers.
For banks in particular, DORA appears at a time when many are still working to implement the EBA Guidelines on outsourcing arrangements, which is a key expectation of the ECB, notwithstanding all the other papers that have crossover on related topics, including the Basel Principles for operational resilience, the Network Information Security directive and other national requirements. There is clear scope for overlap or interaction between the different initiatives.
With this in mind, parts of the DORA legislation will be challenging to implement for banks, and these are likely to include:
- ICT risk management: Certain elements of DORA - such as Article 10 which requires detailed record keeping of activities before and during an IT incident, or Article 11 which requires restoring backed up data within an unrelated operating environment – are likely to be costly to achieve and may limit flexibility. They will be especially challenging for smaller banks and could potentially drive fragmentation of technology, since most banking groups do not generally structure ICT on an entity-by-entity basis.
- Advanced test procedures: The focus on resilience testing for banks will increase, and threat-led penetration tests of functioning systems will become mandatory for more organisations, and it will be possible to include several national authorities in the test procedures. This could significantly increase costs and other resource requirements.
- Third party ICT risk: DORA introduces greater oversight of CTPPs, since financial data are increasingly actively hosted or passively processed by third parties. Providers designated as ‘critical’ will come under direct supervision by European authorities, although the definition of critical providers is currently unclear. Prescriptive requirements such as applying the latest security standards may challenge smaller banks or those with legacy systems.
- Triage and major incident reporting: New reporting requirements are clearer and more consistent, but new and location-specific notification requirements may make managing a major incident more difficult and less safe. It is also unclear how regulators will manage huge volumes of incident notifications and conduct subsequent root-cause analysis.
So what can banks do now to meet these challenges head on? In our view, the greatest priorities are to:
- Understand that a new, consistent approach is needed. Even leading banks will need to make changes to comply with the new regime and meet supervisors’ more consistent expectations for controls, risk management, reporting and recovery. In some cases, transformation of operating models will be required.
- Know their current state. Banks should understand their current position and benchmark themselves against the requirements of DORA. At a minimum, they should identify gaps and mobilise the resources needed to plan and implement a successful transformation.
- Put the right accountabilities and talent in place. Banks need to ensure their operating models have the accountabilities and talent required to transition from their current position to the end state needed to comply with the expectations of DORA.
- Be realistic about possible expenses. Depending on their current status, banks may find that the additional requirements of DORA across a range of security disciplines could entail significant investment and affect future profitability targets, which is already a key focus of the ECB in their business model assessments.
- Seize the opportunity. DORA is not merely a compliance requirement. By unifying the regulation of ICT risk management, it provides an opportunity for banks to bring together their operational risk control capabilities and achieve a high level of operational readiness and resilience across the organisation.
In conclusion, DORA is a response to the increasingly complex technological environment in which banks operate. The need for institutions to be ready for incidents, and to be able to respond and recover from them effectively, is greater than ever. DORA represents both a challenge and an opportunity to reboot cyber resilience.