EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.
Recent Searches
EY consultants met with Leaders from the Swedish Bankers’ Association and Insurance Sweden to discuss potential challenges with the Digital Operational Resilience Act (DORA).
In brief:
- DORA brings new opportunities and challenges to financial services entities that will require them to dedicate significant effort to reach compliance.
- The new requirements will impact various levels of digital operational resilience ranging from third-party risk management to incident response.
- Financial services organizations must understand their own business and grasp regulatory requirements for an effective implementation of DORA.
The Digital Operational Resilience Act (DORA) aims to increase security for European citizens and businesses by establishing a common resilience framework to help financial services entities avoid, manage and bounce back from disruption. Although financial services organizations are largely up to speed about DORA and its impact on them, some parts of the regulation are more challenging and require extra thought.
To address the opportunities and challenges surrounding the new directive, EY met with Magnus Jacobson from the Swedish Bankers’ Association and Pär Karlsson from Insurance Sweden. This article explores different facets of DORA and presents some key insights from the discussion.
The need for a common framework for digital operational resilience
Digitalization of financial services has simplified life and made day-to-day services available around the clock. This is specifically true for the Nordic region, where society tends to quickly adapt to digital alternatives. Financial digital solutions, such as digital wallets, online banking and online insurance claims, are services that we expect to be always available to us. But what happens when parts of the critical infrastructure behind these digital services are disrupted?
Disruptions to such services that we’re so dependent on have the potential to affect businesses and society at large. Cyber risk has in other words transitioned from an operational risk to a systemic risk within financial services. This is one of the reasons why risk management has been on top of the agenda for financial services organizations for quite some time. However, a common framework for digital operational resilience was lacking. This was the biggest motivating factor behind the introduction of DORA.
Regulation as a solution
European regulators are moving ahead to secure the ability of the financial services sector to meet availability expectations and demand further harmonization and consolidation of Information and Communications Technology (ICT) risk management.
DORA entered into force across Europe in January 2023 as a common resilience framework for the European financial services market. DORA consist of five main pillars; 1. ICT Risk Management, 2. Incident Reporting, 3. Operational Resilience Testing, 4. ICT Third-party Risk and last but not least 5. Information sharing. These 5 pillars will collectively ensure that the framework support financial entities to achieve the potential of digital finance and standardize how risk is mitigated.
This is nothing new in principle, but specific requirements of the regulation show that there are challenges ahead. The management of third-party digital service providers and contracts for digital services and IT infrastructure are some of the first subjects to be addressed for all regulated entities.
DORA might not be the answer to all our questions, but it will most definitely help mitigate cyber threats and reduce the risk of business disruption within the financial sector.
Renewed focus on third parties
Financial entities have become increasingly reliant on ICT third-party providers to support their operations due to the complex and broad spectrum of digital services run by them today. Typically, financial entities are dependent on several digital service providers which further complicates the ability to control the infrastructure surrounding their critical information. This complex setup also leads to difficulty in understanding, structuring and managing critical risk — specifically third-party risk.
DORA requires risks arising through ICT third-party providers to be identified, monitored, assessed and documented. All vendor contracts will need to include criteria, as the regulative text will become further specified in the Regulatory Technical Standard (RTS) that is being developed.
Magnus Jacobson and Pär Karlsson have a unique overview of the challenges, trends, risks and opportunities within the financial sector. They both agree on the assumption that organizations within the Nordic banking sector and the Nordic insurance sector will face challenges when implementing DORA’s requirements on critical third-party digital service providers.
Gaining access to relevant information about risks associated with any third-party service providers is a challenge in itself and will require added effort from the insurance sector in the coming years.
Does this mean more work for digital service providers?
Financial entities tend to regard providers of digital services as compliant, secure and reliable by default. Until now, the possibility for a financial entity to follow up on all critical systems in its own digital infrastructure has been limited. However, this has changed with the advent of DORA.
- Better collaboration with digital service providers: Digital service providers will now need to work more closely with their financial clients and the national competent authorities than before. Critical third-party ICT providers will now become regulated and even subject to penalties for non-compliance. In addition, they will be included in a Union oversight framework to enhance transparency. Providers of digital services will have to be more open about security, risk and potential hazards. Magnus Jacobson views this as an important step to increase security in the financial system.
- More involvement from the Board: The Board of Directors and Executive Boards will play a crucial role during the implementation of DORA across Europe. Keeping the board level in the loop and getting them up to speed on the subject will become a crucial aspect of efficient implementation. Board members need to quickly grasp and understand all aspects of the regulation to enable effective and necessary dialogue and decision-making around operational resilience within their respective organizations. This will require board competence in digital resilience, according to Magnus Jacobson.
Knowledge within IT has significantly increased, but competence within information security requires further improvement.
Crucial next steps to consider when planning the implementation of DORA
Implementing DORA will require attention from all levels of the organization, and not just from the IT side. Organizational planning and careful calculation on how to meet the various requirements of DORA will be key to any financial entity.
The following are three crucial steps to consider for the successful implementation of DORA:
- Place the responsibility of DORA implementation at the right level in your organization and involve the Board of Directors early.
- Do not delay the process and wait for implementation. Understand your own business and grasp the regulatory requirements.
- Understand, adapt and implement. Leverage assistance from trusted partners as implementing DORA could become quite complex.
Summary
Organizations will have to abide by and be compliant with the new regulation and this will include e.g., maintaining robust third-party risk management as well as ensuring and updating routines for incident reporting. This should not be seen as a tick-in-the-box exercise but rather as an opportunity for all financial entities to improve their security posture.