European financial services firms will have less than 24 months to comply with the European Commission's new cybersecurity requirements involving risk management and other aspects of digital operational resilience once rules are finalized later this year.
With the clock ticking on an expected 2024 implementation deadline, the European Commission's new cybersecurity standards, known informally as "DORA," continue to loom large for financial services (FS) firms in the European Union.
DORA is shorthand for the Digital Operational Resilience Act.1 Designed to fortify FS firms by bulking up their cybersecurity functions holistically, DORA is intended to standardize and strengthen a national patchwork of incident reporting processes and directives across the EU.2 The new law is expected to cut through red tape and reduce hefty compliance costs.3
By harmonizing cybersecurity rules and regulations across the EU's 27 member states, DORA's intent is to help organizations limit the effect of ever-increasing cybersecurity-related disruptions by mandating standards that blunt threats to information communication technologies (ICTs).4 The new regulations are also intended to bolster stability and confidence in the EU's FS sector at a time when more and more financial transactions are occurring virtually.5
The digital migration of financial transactions in the European Union — as well as the subsequent threats and attacks that come along with an uptick in online payments — has been occurring at a breakneck pace. A European Commission study shows that during a one-week span alone in the early days of the pandemic, "the use of financial applications in Europe increased by 72%."6 Meanwhile, cyberattacks on FS firms during the pandemic have increased 38%, EC data shows.7
Risk Management
In crafting DORA, EU regulators included two key risk management pillars within the five core elements of the act: one covering informational communications technology risk management within organizations (ICT Risk Management), and another for vendors and other third parties supplying ICT services to FS firms (ICT Third-Party Risk Management).
While both pillars are intended to integrate cybersecurity efforts within a FS firm's broader risk management strategy, ICT Risk Management typically involves an organization's internal ability to identify, assess, control, monitor and report on resilience risks. This pillar also typically refers to an organization's ability to respond to and recover from negative events, as well as mandate the mechanisms necessary to ensure continued business operations, such as efficient governance, robust management systems for accountability, and efficient stakeholder communications strategies.
ICT Third-Party Risk Management, however, refers to an organization's processes that are designed to ensure the efficient management of third-party risk. While this will look different for every firm, this might include an organization's ability to efficiently create resilient procurement and sourcing strategies, establish a provider register and ensure robust contractual security-related provisions.
Here, we ask and answer questions related to the two risk management pillars that may be on the minds of boards and senior managers.
Pillar: ICT Risk Management
Q. How broad of an issue is ICT Risk Management for FS firms?
A. Very broad. Under DORA, firms will need to integrate risk management into their greater business strategies. Furthermore, ICT Risk Management arrangements will have to operate within the broader business context for appropriate investment prioritization and for impact assessments to be conducted in a manner that enhances the resilience of the most critical assets first. As a result, business leaders will need to ensure that they are proactive in understanding their risks — and what to do about them. Now more than ever, it is crucial for roles and responsibilities to be assigned in ways that provide the C-suite with the information and support it needs to understand and respond to these risks.
Q. How can FS firms prioritize these risks?
A. Start with the understanding that heightened risks facing important business services must be visible to senior management through effective governance and oversight processes. Risk monitoring in these important areas should occur continuously. When designing their approach, FS firms should also consider reputational, compliance and external risks; information sharing and incident reporting should be included in any overarching communications strategy. Even so, in accordance with national and European sectoral legislation, FS firms may outsource the tasks of verifying compliance with the ICT risk management requirements to intra-group or external undertakings.
Q. Will these efforts be a one-time undertaking or part of a broader ongoing strategy?
A. The short answer: ongoing. Risk management strategies need to be validated and continually tested, leveraging a range of tools to evidence compliance and effectiveness. Testing should incorporate regulatory-driven and critically assessed exercises, including the use of TIBER red team tests that replicate the actions of real-world threat actors to evaluate cyber defenses in real time. It is also worth noting that an effective ICT risk management strategy is dependent on the ability to make continuous improvements where they are needed. As cyber is a dynamic risk, resources should be allocated for any remediation activities that may be required, even unexpectedly, during planning for the financial year.
Pillar: ICT Third-Party Risk Management
Q. How can FS firms determine the risks involved with third parties?
A. DORA's position on ICT Third-Party Risk Management is based upon the following principle: While you can outsource a service, you cannot outsource a risk. Applying that principle means that entities in scope remain fully accountable for the risks they are managing — regardless of who is meant to mitigate specific risks or operate specific services. This means that there must be a greater emphasis on pre-contract diligence, which should ensure that appropriate security clauses and risk-related transparency are incorporated into the contracting process. And businesses should have dedicated risk assessment processes that are focused on measuring the risks associated with third parties.
Q. What can FS firms do to limit their exposure to these risks?
A. The scope of services needs to be carefully considered and completely documented. Contracts should ensure that service descriptions are provided in full, including details of where the third party might itself subcontract elements of the service. Still, given the new reporting requirements, it is also critical to ensure that incident reporting obligations and notice timelines are documented, and that service-level agreements more generally are appropriate and well-defined.
The Key Pillars of DORA*
- Digital Operational Resilience Testing
- ICT Risk Management
- Incident Reporting
- Information and Intelligence Sharing
- ICT Third-Party Risk Management
Footnotes
1: "Regulation of the European Parliament and of the Council on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014 and (EU) No 909/2014." European Commission. Sept. 24, 2020. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52020PC0595
2: Ibid.
3: Ibid.
4: "A Digital Finance Strategy for Europe – September 2020." European Commission. https://www.compete2020.gov.pt/admin/images/200924-digital-finance-factsheet_en.pdf
5: Ibid.
6: Ibid.
7: Ibid.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.