The Digital Operational Resilience Act (DORA) is set to address the gaps that pose critical dangers to banks, financial institutions and insurance companies. DORA addresses the open doors that cyber criminal have been utilising. Whilst the steps taken from the framework are necessary to strengthen resilience within these organisations, the process of implementing DORA is going to be challenging.
What is the scope of the Digital Operational Resilience Act? (DORA)
The 5 pillars of DORA cover immediate and third-party risk management, operational resilience testing, incident reporting, and sharing of information amongst peers. However, what is apparent is that some pillars lack detail at present, whilst others already delve deeper into expectations and requirements. It is in those areas that DORA addresses the existing gaps in financial institutions.
What are the areas of DORA that seem to be covered in other regulatory frameworks?
Certain assumptions are made in DORA, and so naturally these are the areas that are addressed very lightly.
For example, the pillar for ICT Risk Management assumes that banks and financial institutions already have a Risk Management framework, so it chooses not to explore this in depth. If you are ISO27001 compliant then most of the risk management element in DORA means you have it covered off.
It also assumes that operational resilience testing is already a part of an entity’s processes – perhaps unsurprising given that the Basel Committee on Banking Supervision, the FCA and the European Banking Authority all cover operational resilience comprehensively.
What is going to be the biggest impact of the Digital Operational Resilience Act?
First things first, for those who fall into the trap of tackling the 5 pillars of DORA as a chronological, step-by-step checklist, their efforts will go to waste.
There are actually two key areas that are going to impact financial entities the most: third-party risk management and reporting.
These are the key gaps that DORA draws the most attention to, and that bridge the other gaps evident in existing frameworks. Financial entities need to begin this work now in order to be compliant in time.
The third-party element of DORA will ask financial institutions to be able to say with confidence that their supply chains are secure and compliant to DORA – this is non-negotiable. What is unclear is how far they need to go with this work.
For example, financial institutions will need to review the working cyber security practises of their third parties, and this may mean contractual changes to ensure that they continue to monitor their environment for cyber threats. But here’s the rub – it doesn’t end there.
Organisations will need to also ensure that their own network’s third parties, (yes take a moment to think about that one) are also DORA compliant and operationally resilient. And it gets even more confusing – it is presently unclear how far organisations will need to go to ensure that the third parties of their third parties’ third parties are resilient – it could be as much as four or five layers deep. Not only that, the third-party focus is woven across all of the pillars. So there will be no tick box exercise to complete this. The work will be detailed and the process long.
Work on this aspect of DORA should therefore start now.
The other key area the Digital Operational Resilience Act (DORA) will impact is reporting.
Organisations will need to be able to report quickly and succinctly, and continuously monitor their environment. If current processes are manual and it’s a case of trawling through huge sets of data, then it will become even more complicated with the Digital Operational Resilience Act.
Financial institutions will need to continuously monitor and report quickly and efficiently, and if those processes are not in place now then work should begin immediately to get them established. In fact in several articles, DORA states the continual monitoring of your business ecosystem to be able to ensure compliance.
- Article 6: ICT Risk Management Framework
- Article 7: ICT Systems, Protocols, and Tools
- Article 10: ICT Business Continuity Policy
- Article 14: Incident Management
- Article 16: Digital Operational Resilience Testing
- Article 19: ICT Third-Party Risk Management
So, to summarise: how can organisations mitigate the impacts of DORA now?
- Start to gather a working committee as soon as possible, identifying key members of the business that will need to be involved.
- Start a gap analysis and identify the key areas that need focus.
- Create a plan of how the work will be completed in time for January 2025.
Remember the Digital Operational Resilience Act is a regulation, not a framework.
You may currently be lacking in concrete information, but the steps above will be familiar to you. DORA is a regulation, which means it is law. Regardless of the fact that you only have draft information at the moment, you can begin the work and understand what steps you can start to take with regards to third parties and reporting.
Do not hesitate on these areas as there is only 5 months left to comply and, as more information is released, you can build it into your processes to hit the January deadline.
Don’t leave it to a last-minute scramble – DORA is far too big to embrace with very little time left.