As a financial institution what does the EU Digital Operational Resilience Act (DORA) regulation mean for you? And how do these fit in with requirements such as GDPR, NIS and PSD2?
DORA is an attempt to make 3rd party risks management processes more efficient and to create a recognised standard. The key requirements include a focus on
- Risk Management
- Incident Reporting
- 3rd Party Risk Management
- Operational Resilience testing and
- Information and intelligence sharing.
In the UK, through the PRA and in Ireland via the CBIs consultation paper 140 these recommendations are being adopted.
At a recent roundtable on the topic hosted by Digital Europe , stakeholders from policymakers to FS and tech providers discussed some of the impacts that this regulation will bring. Overall there was an acceptance that there was a need for such regulation given to scale and proliferation of cyber-attacks over the last year but there was a feeling that their response to it:
- should still take into account the need for Innovation and Competitiveness and not hinder it
- that there should still be opportunity to use 3rd country technologies and refrain from introducing localisation measures such as data residency.
- That there should be a proportional response to the regulations and should be aligned to organisations risk profile and appetites and
- that there needs to be more consistency between DORA and other regulations
The most challenging part of the regulation focuses on 3rd party risks and Operational Resilience testing.
For 3rd party risks Financial services firms should look:
- to refresh existing third-party contracts to support the required obligations to implement and test DR solutions
- develop robust supplier exit strategies
- develop and implement a 3rd party risk framework and
- get a view on those providers that are deemed critical for the digital operational resilience of their organisation (a key part of Operational resilience testing).
For Operational Resilience testing organisations need:
- to have effective policies in place
- regular testing of end-to-end DR and operational processes (including training and awareness programmes),
- Define testing approaches and tooling
- Identify critical business services and mapping them to underlying technology, applications, processes, people and third parties
UK Banks will feel well positioned given previous adherence to previous guidelines, however as well as additional scope, the DORA umbrella will stretch further across the likes of insurers and fund managers. There are some overlaps with existing regulations but understanding where they are and how this work together is difficult to navigate. At Peru Consulting our experience is not only in financial services but across many other sectors – through our cross-sector experience in regulatory compliance, supply chain management and operational resilience we are well placed to support FS clients need.
Financial Service and other organisations have nothing to lose in getting ahead of the game by defining their critical suppliers, assessing contracts, reviewing supply chain risks and/or defining and delivering resilience testing
Peru with our partners, have a wealth of experience in maturity assessments in regulated environments and quality assurance/delivery of Operational Resilience plans. Please get in touch with Steve Warren or Ian Robinson for more information.