For years we have been told that banks are essentially technology firms and that we, as an industry, must continually innovate or risk being left behind and replaced by ‘Big Tech’. A lot has changed in recent years due to the huge advances we have made around technology, data and digital, as an industry. However, there is one enduring theme that hasn’t changed: the need for resilience around our Information and Communication Technologies (ICT).
System and platform outages can result in client, customer and end-user dissatisfaction, reputational damage, regulatory issues and financial losses. It is estimated that the costs of these issues run into hundreds of billions of dollars per year, across the industry.
Greater resilience for a digital era
As the wants, needs and demands of our clients have evolved and become more sophisticated, financial services firms are now, more than ever, having to constantly adapt to new, emerging and disruptive technologies and digital solutions. The technological revolution creates great opportunity but also presents increased risks which have to be understood and managed, especially in times of market volatility and stress. Systemic risk across the financial services industry grows as we witness a deepening of dependencies and interconnectedness of ICT risks.
In 2020, as part of a larger package of regulations aimed at improving innovation and competition towards emerging technologies and products such as crypto-assets and distributed ledger technology, the EU started discussing proposals for specific rules around resilience in a digital era.
Digital Operational Resilience Act (DORA)
Following a series of consultations and technical discussions, in late 2022, DORA was published in the Official Journal of the EU as Regulation 2022/2554.
While the technical standards for DORA are still open to consultation, there is a clear line in the sand with a compliance date of 17 January 2025. DORA will apply to financial service entities and service providers operating within the EU, and crucially, the ICT infrastructure that supports them, including residence outside of the EU.
At a high-level, organisations will need to follow strict rules for the “protection, detection, containment, recovery and repair capabilities against ICT-related incidents”.
DORA comprises of five key areas, which are going to require significant focus from firms and their service providers and partners:
Risk Management – DORA will likely represent a huge leap forward for firms in terms of their risk management frameworks, policies, governance, controls and ongoing risk assessments. Internal controls should detect ominous activity promptly so the firm can act swiftly to mitigate or effectively respond. The new regulatory regime will require firms to reassess the adequacy of their crisis communication plans, as it relates to ICT risks and incidents.
Incident Management & Reporting – the logging and actioning of operational risk events can no longer be just a formality and viewed as an administrative task for embedded risk teams. DORA introduces a heightened requirement for the capturing, classification, reporting and response to major ICT incidents. This includes personal data breaches, cyber-attacks and severe outages. Regulators will expect to become better informed of major threats and incidents as reporting requirements amplify.
Digital Operational Resilience Testing – firms will be expected to regularly and proactively detect and mitigate against ICT vulnerabilities and risks through threat-led penetration testing on live production systems. Where issues (either real or potential) are identified across ICT systems, applications and architecture, effective follow-up remediation steps with clear ownership will need to be agreed upon, particularly for those assets which underpin critical or important business services and processes.
ICT Third-Party Risk Management – the majority of financial services firms will have established processes and functions focused on third-party and vendor risk management. However, the DORA requirements will likely represent a seismic shift for many service providers and vendors, many of whom directly support financial services firms and will be captured under the requirements. This will likely necessitate changes to oversight processes, service levels and contractual agreements.
Information & Intelligence Sharing – DORA will encourage greater market collaboration and intelligence sharing. Financial services firms, vendors, service providers and even regulatory authorities may engage, share information and enter into a “trusted community of financial entities” with the aim of strengthening the management of ICT risks. This, of course, should be implemented in a way that ensures data protection regulations are not breached.
Our experience tells us that there are three further key components for all impacted organisations to keep front and centre of their thinking whilst planning their response to DORA:
Technology Lifecycle Management & Obsolescence – firms will need to strike a careful balance between cost, risk, revenue and client service. They will need to continually assess the lifespan of their technology assets, whilst planning for obsolescence and replacing both hardware and software as it reaches end-of-life. All of this must be achieved, whilst ensuring resilience and mitigating vulnerabilities and threats.
Change & Transformation – when introducing new software and hardware, or upgrading their existing stack, firms will need to be more conscious of the introduction of ICT risks and plan for how they intend to manage and mitigate those risks.
Culture & Behaviour – DORA will require a shift in mindsets across all impacted firms which will need to be led from the top. Senior executives and leaders from across organisations, not just their technology teams, will need to have an awareness of their ICT risks and resilience and ensure that the importance of this is propagated appropriately through their teams and functions.
What next?
While 2025 seems far away, the work required to ensure compliance may be substantial for some firms.
Organisations should already have Operational Resilience as a focus point, which has its own 2025 looming deadline and continues to draw focus from the Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA). However, although there are similarities, DORA is more than just Operational Resilience by another name.
Firms should already be thinking about their existing internal control frameworks and governance structures, their ICT risk management frameworks, their critical or important ICT outsourced functions and crisis communications and the engagement that will be required from their peers, vendors and service providers.
Furthermore, there is actually an opportunity for organisations to not just view DORA as another mandatory regulatory delivery in a long list of mandatory regulatory deliveries – and instead to view it as an opportunity to review and embed resilience alongside their digital strategy, to drive efficiency and to offer their clients and the broader markets an improved level of service.
Why Davies?
Davies are a financial services consultancy, who specialise in supporting our clients with complex regulatory implementation, remediation and transformation programmes, including key topics such as Operational Resilience, Data & Digital, Investor Protection and Consumer Duty.
We can help firms interpret the DORA requirements, map them internally, benchmark current ICT operational resilience maturity and prioritise their implementation to compliance. We have extensive experience in completing diagnostics and assessments to help our clients truly understand their compliance and operational efficiency, as well as establishing robust governance, testing and helping firms to establish conditions for success.
If you would like to be on the front foot with your DORA implementation in anticipation of the 2025 deadline – or wish to discuss any of the points mentioned in this article – please contact us here.