Cyber security threats have risen as remote work becomes more common within firms. As a result, there has been an increased reliance on third parties to help run businesses, which increases the supply chain risk. The Digital Operational Resilience Act (DORA), which comes into effect in January 2025, looks to improve the existing ICT risk management requirements within firms to ensure there is a shared vision across financial services for cyber protection.
DORA aims to ensure technology resistance by establishing a unified digital regulation. Whereas Operational Resilience aims to protect customers and the wider market, DORA provides a framework for firms to improve their ICT risk management and have digital reporting standards in place.
The regulation will provide an EU-wide approach to testing digital operation resilience and outline third party risks management requirements for ICT providers. The long-term aim is to encourage cooperation between firms and prevent substantial harm by cyber attackers.
Meeting this standard by the implementation date will demand a review of your internal systems and cyber processes. It is important to assess your operations and how to prepare for implementation.
The act primarily aims to improve digital risk management at a senior level. Managing this will require implementing an appropriate governing body to oversee digital operational resilience. Assigning individuals across all three lines of defence is also important to oversee the resilience measures and ensure that your framework is up to date.
Firms must also instill the right risk culture. Training schemes can create a better understanding of what to do in the case of disruption. Establishing this culture helps you meet regulatory requirements by providing your team with an overview of your current framework and an understanding of where to make improvements to meet expectations.
You must identify, classify, and document all ICT supported business functions. Your IT functions must reflect the DORA framework, so it is important to map them out correctly, so they align with the EU’s plan. This should also match your internal ICT risk to meet compliance.
You should set an appropriate risk tolerance level of ICT risk and assess your risk appetite. Agreeing these tolerance levels with the regulator beforehand will ensure that these levels are in place.
You should also define your vulnerabilities and risk control implementation. This means keeping track of emerging risks and how they align with your current risk universe to reflect in the Internal Audit plan.
You should also rate, monitor, and outline a withdrawal plan for all third-party providers. This means writing a contract that has clauses in place in case of service outage. This should also include an exit strategy with a clear transition plan.
You need to ensure that your data systems meet the requirements of DORA. There are five steps firms need to follow for incident management:
All firms will need to review their current operations. Creating a strategy to execute these five steps is important to stay ahead and meet the requirements of DORA.
In the event of an ICT-related incident, you should also create a communication response. This will ensure that there are clear response mechanisms in place in case of outage. Integrating this strategy with your emergency response procedures, incident management and disaster recovery process will also help you meet best practice.
Strong penetration and scenario testing processes should also be in place. You need to ensure that your firm can stay within pre-set tolerance limits and is prepared for potential issues. Testing will allow you to obtain a strong understanding of your processes to meet best practice.
You should also complete a plan-do-act-check spiral of discovery. This will require a full investigation into your testing findings to assess the root cause and the ability to establish a remediation plan. In turn, this should give you information for retesting to improve your systems and ensure you are meeting best practice.
You should exchange information by develop training and awareness materials once testing is complete. This will ensure there is collaborative information sharing increase the overall understanding of your operational resilience measures and lessons learned across industry.
Implementing DORA will require a review of your current operations, and every firm will have a unique set of requirements to consider. Therefore, it is important to consider a systematic approach to implementation. Meeting compliance will require a review of your internal business operations to understand your tolerance levels and recovery requirements.
It will also be important to have third party assurance to demonstrate your digital resilience. The EU will expect a strong business continuity and recovery plan, so an accurate review of your digital operations is necessary.
DORA will require you to enhance your cyber security framework and address digital resilience risks. It is important to anticipate challenges early to avoid major setbacks and improve your existing framework. Doing this now will ensure you are ready for implementation and help you get ahead of the curve.
For more information, contact Priya Prakash.
Stay up to date with our latest round up of financial regulation.
Regulatory update on FCA AI live testing, Consumer Duty, stablecoins and mortgages. Experts unpack regulatory change shaping UK financial services.
For financial firms operational resilience should be a key factor in change programmes. We look at how to merge the two.
