What firms can expect from DORA
This article was first published in FT Global Risk Regulator
The Digital Operational Resilience Act (DORA) is currently in consultation and due to come into force in January 2022. This new regulation for financial services firms in the UK and Europe covers operational resilience from a technology perspective.
Over the past 12 months, several regulators (including the Financial Conduct Authority (FCA), Prudential Regulation Authority (PRA), and European Banking Authority (EBA)) have developed proposals to clarify requirements around operational resilience, making DORA the next in a long line of requirements firms are responding to.
As firms continue to get to grips with multiple compliance requirements, as well as driving the right behaviours that embed resilience within their business, we’ve looked at the top three most important elements of DORA to consider alongside other operational resilience regulatory proposals.
1) Third party services
Existing regulations and guidance (for example, the EBA guidelines on outsourcing) require firms to categorically define their critical third-party providers and actively monitor them. DORA builds on this desire to ensure firms have a strong understanding of suppliers by focusing on Information and communications technology (ICT) third party providers. DORA asks firms to really understand how embedded they are in the firm, and whether they could operate without them? DORA has an expectation that identifying critical ICT providers will include qualitative and quantitative criteria, such as which business services rely on that supplier and what happened last time the service was unavailable.
Typically, firms will carry out due diligence prior to signing contracts, but now they must consider the robustness of their arrangements with the third party and the frequency of review.
For example, is there documentation to demonstrate robust continuity capability? Has the ICT provider changed structure, location, affiliations?
DORA may also allow Authorities to request information from providers, conduct on-site visits and make recommendations on any issues found.
2) Cyber intelligence
Sharing cyber intelligence between firms is not new. In 2017, the National Institute of Standards and Technology Special Publication (SP) 800-150, introduced cyber threat intelligence and information sharing concepts, which described the benefits and challenges of sharing, clarified the importance of trust, and introduced specific data handling considerations. On the face of it, sharing intelligence of cyber threats is an obvious thing to do because the sharing of accurate information should help increase the efficiency and effectiveness of a firm’s cybersecurity capabilities.
DORA sets out several areas to consider (such as data handling between firms) and guidelines to follow, to keep control of the intelligence sharing. For example, firms exchanging cyber intelligence information can also share techniques and tactics.
3) Operational resilience
Most operational resilience regulations or guidance set out requirements covering risk management, testing and incident management. DORA is more explicit and states that ICT incidents must be classified according to the prescribed criteria to be developed by a joint committee of European Supervisory Authorities. This will mean an increase in the number and level of detail reported for ICT incidents. This requirement will therefore demand increased transparency for ICT incidents throughout the business to allow compliance with the Act.
DORA is currently in a 12 to 18-month consultation phase ahead of being finalised. There are several things that firms should do now to prepare for the new regulation:
- Assess current due diligence measures for ICT third party providers to ensure compliance with DORA. Going forward, firms should be aware of the fact that information provided by them to authorities could be validated through site visits to the third party service providers. Firms should therefore undertake preparatory site visits during due diligence activities.
- Develop or amend an incident reporting framework. This framework should be flexible enough to accommodate the prescribed criteria as it is developed in the months after DORA comes into force. Bearing in mind that DORA states that any ICT incidents classified as ‘major’ under these criteria, must be reported.
- Review any current testing arrangements and redefine the minimum scope to align the testing processes with the proposed rules.
- Ensure testing is aligned to risks and demonstrate that planned testing is robust enough to validate recovery strategies.
- Review whether the current ICT third party assessment criteria provides a detailed picture of resilience capability.
- Review whether - and how - cyber intelligence is shared, how conditions for sharing are currently documented, and whether those conditions would comply with DORA.
- Define conditions for sharing information, including developing processes to notify competent authorities of participation in intelligence sharing.
As the last 12 months have shown, in uncertain times the ability to prevent, respond to, recover, and learn from operational disruptions successfully is key, not only to keep business services running effectively, but to ensure the firm’s resources and people stay productive and safe.
DORA may be the next operational resilience regulation to go through consultation, but it certainly won’t be the last. Understanding the key points of differentiation, and taking preparatory action now, will ensure a smoother transition for all.