The ORX Cyber team recently hosted a virtual session on the Digital Operational Resilience Act (DORA), looking at how it's being implemented and how can financial organisations can prepare for it.
Three representatives from Oliver Wyman gave a presentation on DORA in the first half of the session, before taking questions from the event participants.
The ORX Cyber team were pleased to be joined by:
- Thomas Ivell, Partner, Financial Services practice, European non-financial risk team head
- Mark James, Partner, EMEA Finance and Risk Digital Practice co-head
- Dean Faulkner, Partner, Architecture & Engineering Capability head
More than 50 operational risk professionals from firms that are ORX members or subscribe to ORX Cyber attended the discussion to learn about the practical impacts of DORA.
Watch the recording of the session to learn more about DORA, why it's being introduced and how it's being implemented. The session also explored some of the associated challenges and what firms can do to prepare for DORA. ORX members and ORX Cyber subscribers can also read a full summary of the session.
Watch the panel discussion
Summary of the presentation by Oliver Wyman
Why is DORA being introduced?
- To acknowledge and address ongoing challenges associated with complex, fragmented digital ecosystems, often stemming from rapid digitalisation.
- There is a recognised need for institutions to break away from primarily organising and viewing risks and control activities across siloes.
- A lack of comprehensive management information can mean board members and senior managers may have insufficient awareness of relevant risk exposures.
- There is a sophisticated landscape of bad actors carrying out cyber threats which financial institutions and the wider industry must prepare and protect themselves against.
- Existing EU regulation on resilience has been fragmented and requires an overarching framework.
Who does DORA apply to?
- A wide range of financial entities regulated at an EU level – this extends beyond banks and insurers, e.g. to also include crypto-assets service providers and fintechs.
- Requirements will be proportionally scaled depending on factors such as the institution’s size and role in markets as well as cyber exposures.
When will DORA come into effect?
- The regulation was fully adopted by the European Council and European Parliament in November 2022.
- It is now being transposed into national laws by each EU member state.
- It is expected to become fully applicable in 2025.
How will DORA be enforced?
- A set of technical level 2 standards will be issued by European Supervising Authorities.
- Compliance oversight and enforcement will be carried out by national authorities.
In what way is DORA similar to other regulation?
To drive digital resilience, DORA and other resilience regulation seek to drive forward the following common activities and principles:
Senior engagement
- A greater level of understanding of the material risk landscape and what is being done to manage risks and drive resilience
- Involvement in setting the resilience strategy and agenda
An end-to-end approach
- Defining critical services/operations
- Mapping risks across end-to-end service delivery to facilitate increased visibility of risk exposures, vulnerabilities and dependencies
Resilience testing
- Crisis simulation and testing
- To facilitate learning and continuous improvements/mitigation
Prioritisation and focus
- Recognising that not everything can be addressed at once
- Understanding business processes and prioritising what is most critical
How is DORA different to other regulation?
- While the scope covered varies across all regulations, DORA looks primarily at digital risks whereas many other pieces of regulation extend beyond digital risks.
- DORA sets a relatively high bar when it comes to digital resilience testing compared to most other regulations published to date, requiring full-scale sophisticated simulation and elements of exit management testing.
What are the five pillars of DORA?
Pillar 1: ICT risk management and governance
- In addition to defining, approving and overseeing the implementation, senior management is also accountable for the framework.
- The regulation does not set out prescriptive detail on how this should be approached.
Pillar 2: Incident reporting
- An incident management process must be in place to support the detection, management and notification of incidents.
- Early warning indicators should be put in place to be able to detect, in a holistic way, the type of risks tracking across the organisation.
- Financial institutions must have the capability to notify relevant internal and external (e.g. regulators) stakeholders when an incident of materiality occurs.
Pillar 3: Digital operational resilience testing
- Financial institutions should conduct regulator testing of tools and systems and testing should be robust, extending beyond paper or desk-based exercises.
- Testing should provide assurances of the business’ capabilities to manage digital risks.
Pillar 4: ICT third-party risk
- Financial institutions must be aware of third-party ICT risks and manage them within their own ICT risk management framework.
- This is the most detailed and prescriptive of the pillars. Among areas covered are requirements for specific third-party contractual provisions and concentration risk management principles.
Pillar 5: Information sharing
- Financial institutions should exchange cyber threat information and intelligence to support a collaborative effort to make the wider ecosystem safer.
- This could be done by the coming together of market players to establish organised collaboration centres with formal protocols for exchanging intelligence and coordinating cyber defence strategies. (This is already taking place to some extent in some European countries, e.g. the UK and Austria)
What challenges have been identified so far?
Some of the challenges encountered so far include:
- Developing an enterprise-wide approach to operational/digital resilience that aligns with all relevant regulation:
- For multinationals, approaches (e.g. to ICT risk management) may be particularly fragmented.
- Failure to comprehensively identify and understand end-to-end critical operations.
- Data aggregation challenges:
- Inconsistent treatment/consideration of reporting thresholds and reporting.
- Absence of central data lakes or repositories.
- Shifting from an ad hoc to a risk-based approach to testing.
- Scaling up testing in line with requirements.
- Failure to articulate and embed a robust ICT third-party risk management strategy across the organisation.
- Inadequate tooling/capabilities to facilitate information sharing outside the organisation.
What can financial institutions do today to prepare for DORA?
- Engage senior management to set an overarching digital resilience strategy and assign accountabilities.
- Make digital resilience part of the Board agenda.
- Build an enterprise-wide list of critical business services, map them end to end and assess relevant controls.
- Articulate an enterprise third party resilience strategy and review existing contracts using a risk-based approach.
- Identify and track early warning indicators.
- Standardise incident reporting and establish a process for capturing lessons learned.
- Enhance the existing testing framework by incorporating more sophisticated approaches and link to ICT risk tolerance thresholds.