One of the most talked about topics currently in legal, financial services and cyber security circles is on the implementation of DORA, or to give it its formal name the Digital Operational Resilience Act Amending Certain Directives as Regards Digital Operational Resilience for the Financial Sector (the Amending Directive). DORA entered into force on 16 January 2023 and applies from 16 January 2025. It has caused a lot of concern in the financial services and cyber security community but is it as worrying as it first seems?
What is Operational Resilience?
Operational resilience is the ability of firms and the financial sector to prevent, adapt, respond to, recover from, and learn from operational disruptions. It goes beyond business continuity and disaster recovery and is a strategic priority for regulators across the globe.
Whilst DORA is an EU measure operational resilience is on the agenda for UK financial firms too. Operational resilience requirements in the UK came into effect on 31 March 2022 – there’s a bit more on the UK regime below too.
What is DORA?
On 24 September 2020 the European Commission published proposals for DORA. These proposals were part of the Commission’s digital finance package.
DORA is designed to consolidate and upgrade Information Communication Technologies (ICT) risk requirements throughout the EU financial services sector to ensure that a very wide range of participants of the financial system are subject to a common set of standards to mitigate ICT risks. This includes cyber security risks. Given its concentration on supply chain resilience however, it will have an impact much wider than financial services.
Specifically, DORA establishes requirements for:
- dedicated ICT risk management capabilities
- reporting of major ICT-related incidents
- digital operational resilience testing
- management by financial entities of ICT third-party risk
- information sharing among financial entities
In addition, as we have said DORA extends its reach beyond the financial services sector and introduces an EU oversight framework for critical ICT providers such as cloud service providers.
What are the Key Dates?
- 27 December 2022: DORA and the Amending Directive were published in the Official Journal of the EU.
- 16 January 2023: DORA and the Amending Directive entered into force.
- 16 January 2025: DORA will apply from 16 January 2025. Member States will be required to transpose the Amending Directive into national law by the same date.
What is Digital Operational Resilience?
In DORA, ‘digital operational resilience’ means the ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions.
Which Financial Services Firms does DORA apply to?
DORA, applies to ‘financial entities’. There is a wide definition of financial entitles in DORA but that will include:
- credit institutions
- payment institutions
- account information service providers
- electronic money institutions
- investment firms
- central securities depositories (CSDs)
- central counterparties (CCPs)
- trading venues
- managers of alternative investment funds
- management companies
- data reporting service providers
- insurance and reinsurance undertakings
- insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries
- institutions for occupational retirement provision
- credit rating agencies
- crowdfunding service providers, and
- securitisation repositories
There are some financial providers who are excluded from the scope of DORA including some managers of alternative investment funds and some insurers and reinsurers. EU Member States can also exclude other entities from the scope of DORA.
What are Critical ICT Service Providers?
ICT service providers may be designated as ‘critical’ for the purposes of DORA on the basis of a set of quantitative and qualitative criteria – there’s more details below.
What is Risk Management?
Internal Governance and Control
Financial entities are required to have in place, under the ultimate responsibility of their management bodies, a comprehensive internal governance and control framework that ensures an effective and prudent management of ICT risk and achieves a high level of digital operational resilience.
Members of the management body are required to actively keep up to date with sufficient knowledge and skills to understand and assess ICT risk and its impact on operations of the financial entity, commensurate to the ICT risk being managed.
This is likely to require increased involvement of people with ICT risk knowledge on the board and in senior management. DORA and equivalent legislation elsewhere has already seen a significant recruitment drive as a result. For example according to an EY survey in August 2023 61% of US public companies are looking for cyber security skills for their board.
ICT Risk Management Framework
There must be a sound, comprehensive and well-documented ICT risk management framework which enables financial entities to address ICT risk quickly, efficiently and comprehensively and to ensure a high level of digital operational resilience and minimise the impact of ICT risk by deploying appropriate strategies, policies, procedures, ICT protocols and tools.
There should be appropriate segregation and independence of ICT risk management functions, control functions, and internal audit functions, according to the three lines of defence model, or an internal risk management and control model.
The ICT risk management framework must be documented and reviewed at least once a year (with limited exceptions). In addition the framework should be reviewed following every major ICT-related incidents, and following supervisory instructions or conclusions derived from relevant digital operational resilience testing or audit processes. The framework must be continuously improved on the basis of lessons learned from implementation and monitoring. Among other things the framework must include the risk tolerance level for ICT risk and the impact tolerance for ICT-related events, and outline a communications strategy for ICT-related incidents.
ICT Systems, Protocols and Tools
ICT systems, protocols and tools must be appropriate to the level of operations being carried on, reliable, equipped with sufficient data processing capacity, and technologically resilient so as to adequately deal with additional information processing needs under stressed market conditions or other adverse situations.
Identification and Mapping
Financial entities are required to identify, classify and adequately document all ICT supported business functions, roles and responsibilities, the information assets and ICT assets supporting those functions, and their roles and dependencies in relation to ICT risk. They must, on a continuous basis, identify all sources of ICT risk and, at least yearly, review the risk scenarios impacting them.
Financial entities must identify all information assets and ICT assets, including those on remote sites, network resources and hardware equipment, and map those considered critical. In addition, they must identify and document all processes that are dependent on ICT third-party service providers, and identify interconnections with ICT third-party service providers.
Whilst this is not the same process as compiling a record of processing activity (RoPA) under GDPR, financial entities who have already done a RoPA might find that a useful place to start.
Protection and Prevention
Financial entities are required to continuously monitor and control the security and functioning of ICT systems and tools and deploy appropriate ICT security tools, policies and procedures with the aim of ensuring the resilience, continuity and availability of ICT systems, in particular for those supporting critical or important functions, and maintaining high standards of availability, authenticity, integrity and confidentiality of data, whether at rest, in use or in transit. This includes implementing policies that limit the physical or logical access to information assets and ICT assets to what is required for legitimate and approved functions and activities only, and establishing to that end a set of policies, procedures and controls that address access rights and ensure sound administration of those rights.
Again, those organisations that have made efforts to ensure GDPR compliance will be in good shape. They should be able to adapt the policies and procedures they already have in place to deal with data breaches under GDPR.
Financial entities are required to have mechanisms to promptly detect anomalous activities, including ICT network performance issues and ICT-related incidents, and to identify potential material single points of failure. This is likely to be a series of technical and organisational measures. Detection software will be part of this but software alone won’t solve the problem. Organisations will need to provide the resources to act on alerts, triage the appropriate response and deal with any issues quickly.
Response and Recovery
Financial entities must put in place and implement a comprehensive ICT business continuity policy, and associated ICT response and recovery plans and ICT business continuity plans.
As part of the overall business continuity policy, financial entities must conduct a detailed business impact analysis (BIA) of their exposures to severe business disruptions, taking into account the criticality of identified and mapped business functions, support processes, third-party dependencies and information assets, and their interdependencies. ICT assets and ICT services must be designed and used in full alignment with the BIA, in particular with regard to adequately ensuring the redundancy of all critical components.
Financial entities are required to test their ICT business continuity plans and the ICT response and recovery plans in relation to ICT systems supporting all functions at least yearly. Rehearsing an incident, for example by conducting a Cordery Data Breach Academy (see https://www.corderycompliance.com/cordery-data-breach-academy-2-2-2/) might help meet these DORA obligations.
Financial entities (again with some exceptions), must have a crisis management plan and there will need to be clear procedures to manage crisis communications. Again, those organisations who have a data breach plan in place to meet their GDPR requirements, are likely to be able to adapt that plan to meet their DORA obligations.
Backup Policies and Procedures, Restoration and Recovery Procedures and Methods
Financial entities are required to develop and document backup policies and procedures specifying the scope of the data that is subject to the backup and the minimum frequency of the backup, based on the criticality of information or the confidentiality level of the data, and restoration and recovery procedures and methods.
Financial entities, other than microenterprises, must maintain redundant ICT capacities equipped with resources, capabilities and functions that are adequate to ensure business needs.
We have seen that many ransomware attacks target back up systems too so organisations will need to check that their back up systems are robust and properly defended. Organisations will need to make sure that they can quickly restore from back up too.
Learning and Evolving
A recent trend has been the obligation on financial services providers to do horizon scanning to look at the threats that they face. A particularly good example has been the Bank of England’s CBEST program which has been in place since 2014 (see https://bit.ly/3EpPbAV). Under DORA, financial entities must gather information on vulnerabilities and cyber threats and analyse the impact they might have on their digital operational resilience. If there is an incident, financial entities will have to have a post-mortem to see the lessons learned. They will also have to develop security awareness programs and digital operational resilience training. Once again having a good GDPR program in place is likely to help here.
Financial entities must establish crisis communication plans enabling a responsible disclosure of major ICT-related incidents or vulnerabilities to clients and counterparts and the public, and communication policies for internal staff and for external stakeholders.
Again this will require careful thought. Often a knee-jerk reaction with communications people unfamiliar with this space is to blame any incident on a nation state. This might be untrue (or at least hard to prove) and could invalidate an organisation’s insurance coverage (see – https://www.corderycompliance.com/lloyds-cyber-insurance1/).
Reporting of major ICT-related Incidents and Voluntary Notification of Significant Cyber Threats
DORA provides for:
- reporting of major ICT-related incidents to competent authorities
- optional notification of significant cyber threats to competent authorities when the threat is deemed to be of relevance to the financial system
- sharing of information to clients without undue delay following a major ICT-related incident which has an impact on the financial interests of clients
- sharing information to clients that are potentially affected by a significant cyber threat on any appropriate protection measures which clients may consider taking, and
- sharing of information by competent authorities with ESMA, EBA, EIOPA, ECP and other authorities
The reporting and notification requirements also apply to operational or security payment-related incidents and to major operational or security payment-related incidents, where they concern credit institutions, payment institutions, account information service providers, and electronic money institutions.
Digital Operational Resilience Testing
DORA specifies the assessments, tests, methodologies, practices and tools to be applied in digital operational resilience testing, including advanced testing of ICT tools, systems and processes based on TLPT (threat-led penetration testing which mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat).
ICT Third-Party Risk Management
Financial entities that have in place contractual arrangements for the use of ICT services to run their business operations remain fully responsible for compliance with, and the discharge of, all obligations under DORA and applicable financial services law. DORA specifies the minimum provisions that must be included.
Financial entities must adopt and regularly review a strategy on ICT third-party risk which includes a policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers. They must also maintain a register of information in relation to all contractual arrangements on the use of ICT services provided by ICT third-party service providers.
A finance entity’s pre-contractual risk assessment must include an assessment of ICT concentration risk.
Exit strategies must be put in place for ICT services supporting critical or important functions, taking into account risks that may emerge at the level of ICT third-party service providers. It must be possible to exit contractual arrangements without disruption to business activities, limiting compliance with regulatory requirements or detriment to the continuity and quality of services provided to clients.
Again this is a difficult area. We have had a number of recent incidents where ICT third party service providers have experienced difficulties which have had effects across the system. For example in the UK in 2023, Capita suffered an incident which was likely caused by a ransomware gang and included the exfiltration of data from its servers. Complaints were made by some customers that they were struggling to get information from Capita and regulators became concerned.
On 12 May 2023, the UK Pensions Regulator issued a statement on the incident reminding pension trustees of their responsibilities to secure members’ data. Trustees were told to continue communications with Capita and to be prepared to answer questions from pension fund members. They were also reminded of the need to possibly notify the Pensions Regulator and the Information Commissioner’s Office. The Pensions Regulator also did not rule out the possibility of further investigations saying “We may engage with you further to understand the steps you have taken and what progress you have made”.
There is a formula in DORA for working out which supervisory authority will be the Lead Overseer in each case. The Lead Overseer for each critical ICT service provider shall be the European Supervisory Authority (ESA) that is responsible for the financial entities having together the largest share of total assets out of the value of total assets of all financial entities using the services of the critical ICT service provider.
The Lead Overseer is required to assess whether the critical ICT service provider has in place comprehensive, sound and effective rules, procedures, mechanisms and arrangements to manage the ICT risk which it may pose to financial entities, focusing mainly on ICT services supporting the critical or important functions of financial entities, and then to adopt an oversight plan.
The Lead Overseer has power to:
- request all relevant information and documentation
- conduct general investigations and inspections
- make recommendations, and
- request reports specifying the actions that have been taken or the remedies that have been implemented by the critical ICT service providers in relation to the Lead Overseer’s recommendations
National competent authorities (NCAs) are required to inform the relevant financial entities of the risks identified in the Lead Overseer’s recommendations, and financial entities are required to take these risks into account when managing ICT third-party risk.
Will Financial Entities Within the scope of DORA also be Subject to the Requirements of the Proposed EU Cyber Resilience Act?
Possibly. On 15 September 2022, the European Commission published a proposal for a Regulation on horizontal cybersecurity requirements for products with digital elements (the Cyber Resilience Act or CRA). This proposal aims at ensuring a high level of cybersecurity of hardware and software that is placed on the EU market, as well as setting cybersecurity conditions for users when using the products. The primary targets of the CRA are manufacturers (including developers) that are placing on the market products with digital elements whose intended or reasonably foreseeable use includes a connection to a device or network. These products are defined rather broadly and include both hardware and software products. In principle, products with digital elements placed on the market by financial services firms would be included. We have written about the EU Cyber Resilience Act here https://www.corderycompliance.com/eu-cra-0923-03/.
What are the UK Operational Resilience Requirements?
It is important to remember that whilst DORA does not apply to the UK financial services sector (save for those UK entities that are also subject to the EU regime), operational resilience is a key priority for UK regulators too. In many respects the UK regime is similar with the following key elements:
- identify ‘important business services’ (defined differently in the FCA and PRA rules) that could cause ‘intolerable harm’ if disrupted
- set an impact tolerance for ‘severe but plausible’ disruptions to each important business service
- carry out a mapping exercise (of people, technology, resources and systems), appropriate to the size, scale and complexity of the firm’s business model
- carry out scenario testing, i.e. can the firm stay within their impact tolerances for each important business service in the event of a severe but plausible disruption to operations
- consider lessons learnt from testing or after an operational disruption
- develop a strategy for internal and external communications to reduce the anticipated harm caused by operational disruptions
- undertake self-assessments, which are approved and regularly reviewed by the board
When did the UK Rules Start to Apply?
- The core FCA and PRA operational resilience rules came into force 31 March 2022.
- A three-year transition period applies from 31 March 2022 to 31 March 2025 for firms to comply with rules requiring them to remain within impact tolerances for each important business service, including developing more sophisticated mapping processes and testing.
- The new regime applies in full from 31 March 2025.
Are there any examples of UK activity to date?
Yes. For example there was an FCA and PRA fine for TSB in December 2022 of £48.65m. This related to operational risk management and governance failures including management of outsourcing risks relating to the bank’s IT upgrade program. Technical failures in TSB’s IT systems resulted in customers being unable to access banking services. TSB also paid £32.7m in redress to customers. It received a 30% discount for agreeing a resolution otherwise this would have been a £69.6m penalty. TSB’s CIO Carlos Abarca was also fined personally (see https://www.bankofengland.co.uk/-/media/boe/files/prudential-regulation/regulatory-action/final-notice-from-pra-to-former-tsb-bank-plc-cio.pdf).
Financial services firms are required to have in place sound, effective and comprehensive strategies, processes and systems that enable them adequately to comply with the applicable operational resilience requirements.
Clearly, any organisation that is in the DORA regime, or provides services to it will need to consider what it can do to meet its responsibilities under DORA. Whilst existing risk management and GDPR systems and processes can help this is likely to be a significant project for most and will include:
- A gap analysis to focus on the work that needs to be done
- Training on operational resilience
- Making sure that processes and procedures are in place to do horizon scanning and to respond promptly to incidents
- Looking at the board and senior management team’s skills and expertise – in many cases recruitment will be necessary to plug gaps
- For financial services organisations: Working out key dependencies, mapping devices and storage locations etc. and ensuring that compliant contracts are in place with all third party providers
- For third party providers: Working out which key clients are likely to be in the DORA regime and anticipating the assistance they will need to comply
- Robust testing of your new processes and the measures you have put in place
For more information please contact Jonathan Armstrong or André Bywater who are lawyers with Cordery in London where their focus is on compliance issues.
|Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH||André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH|
|Office: +44 (0)207 075 1784||Office: +44 (0)207 347 2365|
Photo Credit : https://www.flickr.com/