By David Gee. Board Risk Advisor, Non-Executive Director & Author
First, what is DORA? This is the Digital Operational Resilience Act, which is a European Union regulation that aims to strengthen the financial sector’s IT security. This new legislation is now live and operational in the European Union. The purpose of the Act was to provide guidelines for operational risk in Financial Institutions.
Why is this necessary?
Simply the prior approach was a ‘blunt instrument’ and required companies to allocate capital to cover potential losses. These new requirements are now required from 17th January 2025, and it would be my assessment that like GDPR that non-compliance is the rule rather than the exception.
What will be particularly onerous is the focus on Third Party Security, and we must be wary that this sets the tone for our own APRA CPS230 to take note and duplicate many of these new requirements. Indeed, I expect this to become the standard across all industries.
DORA includes a comprehensive and specific set of requirements for managing risks associated with third-party tech service providers deemed “critical” to financial entities.
In contrast CPS230 is more principles based and less prescriptive. My sense is that over time these two will become more similar than different.
What DORA considers as critical?
The criticality assessment considers the specific risks posed by each third-party provider to the financial entities they serve. And this assessment includes broader factors like concentration risk – the number of financial entities they serve, the systemic importance of those entities and the potential impact of a disruption on the financial system.
Hence this is going to be a significant list of providers in scope, including;
1. Cloud Service Infrastructure – IaaS, PaaS and SaaS Providers
2. Data Centre Providers
3. Network and Telecommunications Providers
4. Cybersecurity Providers
5. Core Banking & Payment Processing Providers
6. Financial Data Providers
The Third-party challenge
Dora has specific requirements that will be a challenge for anyone to be able to fulfil the hardest will include:
a) Enhanced due diligence and monitoring
“Each entity must conduct thorough due diligence on potential third-party providers, assessing their financial stability, cybersecurity posture, operational resilience, and risk management frameworks”. Sounds the same as usual right, no they then stipulate that they need to continuously monitor the performance and risks associated with these providers, including regular assessments and audits.
b) Contractual requirements
“Contracts must address exit strategies and ensure smooth transitions in case of termination or service disruption”
You will be required to ensure that you run scenarios to test the exit strategies and regularly assess alternative providers to avoid reliance on your current ones.
c) Resilience testing and business continuity
“DORA requires third-party providers to implement and regularly test their business continuity and disaster recovery plans to ensure they can maintain essential services during disruptions”
While this is a great idea, this means that 3rd party suppliers will need to conduct advanced red team resilience testing, such as threat-led penetration testing, to identify and address vulnerabilities.
DORA the Explorer
In Summary while DORA’s objective is admirable, this will take some time to effectively implement. At the same time the transition plan for APRA CPS230 is more gradual and expected to be more slowly introduced.
I believe the truth will be somewhat in the middle.
Those not in financial services should not be thinking “phew” that this does not apply. We should expect these requirements to spread further geographically and to other sectors. The simple focus on digital operational resilience and its comprehensive framework could serve as a model for other sectors.
Besides we must recognise that all sectors are interconnected, any silo thinking is deceiving oneself as cyber threat actors don’t pay attention to such artificial constructs
About the Author
David J. Gee has 20 plus years experience as CIO and CISO. He joined Macquarie Group in early 2021 as Global Head Technology, Cyber and Data Risk. David was responsible for protecting Macquarie Group using his significant expertise in technology and cybersecurity. He has served as CISO for HSBC Asia Pacific, based in HK and responsible for the most critical and profitable countries for this large investment bank. David drove the cybersecurity transformation maturity uplift and led all aspects of cyber for HSBC in these 19 countries. Prior to HSBC, David had an extensive Transformational CIO experience across numerous significant roles.
