Think about your outsourcing and ask yourself how many of your ICT service providers have access to some of your sensitive data.
The Scope of the Digital Operational Resilience Act (DORA) & its Impact on Third-Party Providers
Whether we are talking about where your servers are hosted, or your hardware providers, whether they provide software-as-a-service or hardware-as-a-service, the introduction of the Digital Operational Resilience Act by 2025 will mean that these will be subjected to far more scrutiny. Even electronic communications services are covered, so the remit is indeed quite wide. The EU is working hard to ensure that financial institutions follow rules to ensure operational resilience, but to really protect all the stakeholders, this needs to be extended to their suppliers. Failure to do so would leave far too many potential loopholes that could be exploited by cybercriminals to launch attacks. Imagine taking all precautions within your organisation – only for your data to be accessed via your third-party supplier’s infrastructure…
Key Measures for Financial Institutions and Their Suppliers
The first step for licensed entities is to conduct and document internal assessments, ensuring that there is a strategy in place for the risk associated with any third-party ICT provider, as well as due diligence checks on their suitability. This means ensuring that they have back-up and recovery plans, what policies they have in place on information security, what policies they have in place on privacy and many other things. In short, you're going to be asking the vendor a few questions. Another measure introduced by the Act deals with contracts or agreements with third parties. The full contract – including the service level agreements – must be on a single document, either as a paper document or one in a durable format – very important in these days of ‘smart’ digital documents. This is particularly important as a licensed entity may be receiving multiple services from one provider.
Compliance Challenges and Implications of DORA
There are also specific aspects which must be included in contracts or agreements. Most entities would have confidentiality clauses, but the new requirements go well beyond these and include everything from audit and termination rights to service levels. DORA specifies two categories of third-party that need to be covered: in addition to the standard ones, there are some suppliers that are considered to be critical for financial service providers. The entities that fall into this category will be identified by the EU’s supervisory authorities, such as the European Banking Authority, the European Insurance and Occupational Pensions Authority, and the European Securities and Markets Authority. This will be done according to certain criteria, such as the number of financial service customers and their importance. So you will need to check this list to see whether any of your suppliers fall into this category.
All this does not land in a vacuum: local entities already had fairly stringent guidance from the Malta Financial Service Authority on the use of ICT providers, based on regulations issued by the European Banking Authority. This means that there is already considerable awareness out there about the need for vigilance, making the new measures under DORA that much easier to absorb. However, there are still a number of issues to be clarified over the coming two years through the publication of technical standards.
While DORA is aimed at entities in the EU, companies will need to look at their providers based in other jurisdictions. They may already have headaches resolving the data protection issues involved, say with having data stored on the Cloud via a server in a non-EU country, but they will now need to think about the implications under this new Act. These can be complex: who will have the right to your data should regulatory issues occur? You may need to replicate your data to a server within the EU, for example, a solution which is increasingly being put into force for virtual financial assets. All this sounds like quite a burden for the third-party providers, but the reality is that successful engagements with licensed entities become a ‘badge of honour’ for them when approaching new clients, and ensuring that they have all the right internal processes – from controls to risk frameworks – in place is a one-time exercise that will surely pay off in the long run. Bear in mind that BDO will not only be able to help its clients navigate through the requirements, but it too will have to abide by all these rules and show that it does.
How can BDO help?
At BDO Malta, we understand the complexities and challenges of achieving DORA compliance and ensuring operational resilience. Our team of experienced professionals specialises in providing tailored solutions to financial institutions and suppliers, helping them navigate through the requirements of the Digital Operational Resilience Act. We offer comprehensive guidance and support in conducting internal assessments, performing gap analyses, and developing robust risk management strategies. With our expertise in financial services regulations and compliance, we can assist you in meeting the stringent standards set by DORA and safeguarding your organisation from potential risks. Trust BDO Malta to be your reliable partner in achieving DORA compliance and enhancing your operational resilience.
