To start the session Bradley Rice, a financial regulation specialist, set the scene by reminding the audience of some key facts about DORA. Although it is an EU regulation, it is a part of the G20 commitment to improve the resilience of financial services and financial markets. Governments are in effect attempting to ensure that financial services, which have rapidly digitized over the last two decades, can effectively withstand and recover from stress events such as cyberattacks.
He also explained that DORA applies to all European regulated entities, including banks, insurers, fund managers, asset managers and even the new crypto asset service providers under MiCA. In effect, anybody in financial services regulated in Europe is potentially in scope of this new regulation. This potentially includes parent companies if you are a European office that is part of a group and are dependent on a UK, US or Asian parent, because of subcontracting arrangements for the provision of ICT services.
Rice pointed out that while many financial entities are likely thinking that they will not be affected by DORA, this is not the case because the actual operational resilience focus is part of a global movement that spans the UK, US, Australia and also countries in Asia and the Middle East. He advised those responsible for resilience and business continuity planning to focus on the alignment between countries in terms of a regulatory objective and to begin planning ahead even if they are not caught in the net of DORA obligations.
The go-live date for DORA is January 17, 2025. And while there has been some industry push-back asking regulators for a ‘soft landing’ or an extension to this date, it is unlikely at this point that this date will change. According to Rice any entities in scope of this new regulation should be in the depths of their implementation plans now.
Rice emphasized that although the looming DORA compliance may seem daunting, very few firms will be starting their implementation process from scratch.
Many firms based in the UK and Europe have already implemented the EU Bank Recovery and Resolution Directive (BRRD) and have done lots of business resilience and disaster recovery planning. Rice emphasized that although the looming DORA compliance may seem daunting, very few firms will be starting their implementation process from scratch.
However, those regimes are simply a baseline and it is imperative to go back to the basics and map out your critical functions and risk management processes. DORA represents an opportunity to review your entire operation from the perspective of resilience planning and bring together information security, data, operations, HR, compliance, legal and other functions that are responsible for aspects of this within a single coherent risk management framework.
The key outcome to focus on is a sort of ‘marriage of disciplines’ that will permit an organization to continue to provide its services without a detrimental impact on clients, customers or financial performance, or the stability of financial markets.
Outsourcing and sub-contracting
If you have determined that you have subcontracted a material part of your service it is necessary to look at those contractors. And if those contractors have subcontracted a material part of their own service it is necessary to look beyond as well. In some instances that will involve looking at the entire subcontracting chain, which means looking at the second, third, fourth line of subcontract depending on how significant the outsourcing arrangements are to the resilience of the function in question.
Invariably you may often end up with a big cloud service provider and there, according to Rice, you might face the problem of trying to push down your contractual requirements onto a vendor that backs out to AWS or Microsoft. In an instance where they are unable to obtain a financial services addendum the question becomes what other information can you get to give you comfort as part of your due diligence and on-boarding of that vendor.
Rice pointed out that some major unresolved issues remain around audit and access rights, penetration testing, etc. The major cloud providers have been attempting to educate the regulators about why these may pose both practical alongside compliance issues for firms as well as the providers themselves.
Firms should not rely on the principle of proportionality as a sort of ‘get out of jail free’ card.
According to Rice, the AMF in France has declared that operational resilience is one of its regulatory priorities. He also said that the CBI (Central Bank of Ireland) and BaFIN in Germany have been signalling their commitment to this as has the FCA. He suggested that it remains to be seen how quickly this will translate into actual regulatory action however. He suggested that DORA on-boarding may well end-up resembling that of MiFID II, which means that you may not need to be perfectly compliant from day one, but that you must be able to demonstrate to the regulator both your implementation plan as well as the progress made on this.
In this context he emphasized that, irrespective of where they are located, firms should not rely on the principle of proportionality as a sort of ‘get out of jail free’ card. The key is following a risk-based approach and looking at DORA implementation in accordance with firm size, its risk profile, its business, the market it is operating in as well as the type of clients it serves.
He suggested again that while the implementation work may seem daunting at first many of the firms will already have many of the necessary policies and procedures in place in different parts of the organization. He cited business continuity plans, disaster recovery plans, IT security plans, data privacy policies as ideal examples and said that a pragmatic approach would be to simply draw these policies together and add to them as necessary.
Vendor management
The final part of the session focused on the best way of approaching the implementation planning work for DORA third-party management and the things that can be done now.
Rice quickly laid out a pragmatic way of approaching this:
- Identify your vendors
- Place these into risk buckets:
- Which of the vendors support a critical function?
- How critical is that critical function?
- How important is that vendor to that critical function?
If the vendor is not supporting a critical function than it is probably OK to deal with the relationship by way of a simple overlay agreement.
Put the big cloud vendors such as Amazon, Google, Bloomberg to one side because you are not going to be able to impose any of your contractual terms on them and they will have their own standard terms anyway because the big-tech business model is always one-to-many.
Classify the remaining vendors as high, medium and low impact or some similar categorization system. Then assess the negotiation positions and your relationship with the vendors and decide where to try to impose your terms, where to start to negotiate.
The session ended with some quick-fire ‘yes’ or ‘no’ questions aimed at Rice that really entertained the audience:
- Will the DORA compliance deadline change? – No
- Will it make a difference to financial institution resilience in the EU? – Yes
- Is DORA like GDPR – a global trend-setter? – Yes
- Will we see a UK DORA equivalent soon? – Yes – Already got it!