The Digital Operational Resilience Act (DORA) is the latest legislative effort at European Union level to protect citizens and to address the risks related to the ability of financial institutions to endure, respond to, recover from, and report on the effects of ICT incidents such that these can continue carrying out crucial tasks with the least possible interruption to consumers and the financial system.
DORA covers financial institutions operating in any EU Member State, typically holders of a license issued by a supervisory authority such as the Malta Financial Services Authority (MFSA), and their respective third-party ICT service providers such as, cloud platforms, data analytics and software providers, and data centres.
Reliance on ICT, associated risks and reporting requirements
It is common knowledge that the financial industry is becoming more and more reliant on ICT and digital operations. If proof was required, the COVID-19 pandemic evidenced the importance of digital resilience in the face of new remote working practices and increasing cyber risk.
With DORA, the EU seeks to increase the financial sector's resilience to incidents involving ICT and imposes stringent, prescriptive rules that are uniform among all EU member states. DORA places a strong focus on the frequent reporting, communication and assessments that are required to be submitted under a single, consistent supervisory strategy across the EU.
Main criteria
DORA is broken down into 5 major pillars outlining a governance framework for digital resilience:
1. ICT risk management
- Streamline and upgrade existing rules on ICT governance
- Internal controls and governance structures for ICT risks
- Monitoring of ICT risk management
- Approval and control processes, ICT investments and training
2. ICT-related incident reporting
- Establish a LCM process to monitor and log ICT-related incidents
- Manage ICT risks
- Maintain resilient ICT systems and tools
- Submit initial, intermediate and final reports on ICT-related incidents
3. Digital operational resilience testing
- Establish a framework for critical ICT third-party risks
- Review ICT services provided by ICT third-parties
- Control your outsourcing contracts
4. ICT third-party risk
- Test ICT risk management frameworks on a regular basis (SWOT)
- Ensure the prompt implementation of corrective measures
- Testing requirements will be proportionate to a financial entity’s size, business and risk profile
5. Information sharing
- Financial entities are encouraged to exchange amongst themselves cyber threat information and intelligence through arrangements that protect the potentially sensitive nature of the information shared
Implementation timeframe
Following the signing into law by each EU Member State, the pertinent European Supervisory Authorities (ESAs) will create technical standards that all financial services organizations need to follow. The responsibility of compliance oversight and regulation enforcement will be assumed by the relevant national responsible agencies, such as the Malta Financial Services Authority (MFSA).
Financial institutions have one year from DORA’s enactment into law to become compliant in a manner commensurate with their size and business profile and consistent with the pertinent technological standards created by the European Supervisory Authorities. Entities with higher levels of cyber risk exposure will have an additional 36 months from the entry date to plan and carry out sophisticated penetration testing like a red or purple team assessment.
MFSA ICT Guidance
In December 2020, the MFSA released its own Guidance on Technology Arrangements, ICT and Security Risk Management, and Outsourcing Arrangements. While DORA will bring about new and more defined regulations than ever before, the MFSA Guidance is a good starting point to assess compliance gaps in relation to ICT risk.
MFSA licence holders would do well to address complex requirements such as, supplier risk management, threat intelligence and sophisticated security testing by conducting thorough gap assessments and identifying areas that need greater investment and maturity.
How can BDO help?
BDO can assist licence holders in assessing their preparedness against DORA through an assessment of your organisation's compliance with the MFSA ICT Guidelines.
Our solution allows for a conclusive breakdown of any gaps in procedures or risks which prevent your firm from demonstrating compliance through the following services:
- Assessment of your firm’s current standing with the guidance document, through a tailor-made Gap Analysis.
- Provision of a clear and concise remediation plan, identifying the actions required to become compliant with the MFSA’s Guidance document.
- Assurance of Information Security within your firm’s Technology Arrangements.
- Identification of risks your firm faces through a proportionality considered Risk Analysis.
- Implementation and compliance with an ICT Governance framework and Strategy.
- Assist with the implementation of a Third-party Management process, addressing outsourced IT arrangements.
- Designing of relevant tailored policies including Information Security, Business Continuity, Outsourcing, Change Management, Project Management, Incident Response (or assurance of your firm’s current policies).
- Identification and provision of a comprehensive Training and Awareness program covering Information Security & acceptable practices.