There is no doubt that digitalisation brings with it not only opportunities but also the increased risk of cyberattacks. The Digital Operational Resilience Act (DORA) is aimed at ensuring that financial services companies are resilient enough to recover, not only for their own sake but also for all the other entities they interact with as well as their consumers.
Back in 2020, the European Commission embarked on the introduction of new legislation to ensure harmonised operational resilience across the financial sector, creating a framework which was common to banking, insurance and investment companies (amongst others), and whose aim was to ensure that Member States went beyond the minimum or diverging standards.
Raising the bar with DORA
Licensed entities in Malta should already have a risk management framework, but what they have is not always as comprehensive as it should be – and even the ones that do have something in place do not always execute and update regularly. DORA will raise the bar and entities need to make sure that they are well prepared as of 17 January 2025, the first day that the new legislation begins to apply.
The first step would be to make sure that they are fully compliant with the current framework, which means a thorough exercise to draw up the following steps:
- Business continuity plans
- Disaster recovery plans
- Back-up procedures, and
- Crisis management plans.
These plans and procedures should not be a mere ‘tick box’ exercise. They are only relevant if they are complete and tailored to the organisation (not just a template downloaded from the internet!), and they are kept up to date, at the very least annually, with regards to people, contact details, systems etc.
However, DORA would require even more thorough documentation. Two years may seem like a long time but the sooner entities conduct a gap analysis, the sooner they can start working to fill the gaps. The best analogy would be Y2K, the so-called Millennium Bug at the turn of the millennium: there was little last-minute panic because the majority of companies took the threat seriously and worked on possible gaps well in advance. Consider the COVID-19 pandemic: how many companies had enough laptops in hand from Day 1 to cope with remote working during the lockdown – even though it was probably an unlikely theoretical scenario in a disaster recovery plan? Yes, the unthinkable can happen.
The alternative would be to leave it too late and to have to compete for the limited number of skilled people with the clock already ticking, facing possibly higher costs. The well-known quote by Benjamin Franklin “By failing to prepare, you are preparing to fail” is worth keeping in mind.
Apart from updating them, all the plans will also need to be tested if they are to be worth their while: from simple tabletop exercises to more complex simulations and full-on drills. This is the only way in which an entity can be sure that it has considered everything – no mean feat when you factor in the pressure under which its employees would be working if the worst were to happen.
Cyberattacks on the rise
Cyberattacks are becoming all the more sophisticated, and it is impossible to prevent them completely. However, entities can be prepared by having systems in place which could be put into action immediately, to ensure that operations are disrupted as little as possible and for as short a time as possible. This is not only a benefit for the consumers affected, but also for the company itself. Drawing up the plans may seem like a frustrating cost at the time – particularly when there are so many other priorities and the likelihood seems so remote – but if the unthinkable were to happen, a company’s brand, business and even shareholders would benefit.
DORA Regulatory and Implementing Technical Standards
The DORA framework is in place but it is not yet complete: the European Supervisory Authorities are, as we speak, drawing up 10 Regulatory and Implementing Technical Standards, a process which is expected to take at least a year.
DORA will also emphasize the role of the supervisory authority and the inspections it will need to carry out. In Malta, this is the Malta Financial Services Authority, which already has mandatory Guidelines on ICT related attangements with which licensed entities need to comply. DORA may tweak certain rules and it will be much more prescriptive than at present, but a company would do well to ensure that it is already in line with the local obligations and for the inspections that the MFSA is already gearing up for.
How can BDO help
Here at BDO we have technical experts who can help to ensure that your company is ready in good time with the new requirements set by DORA.
We can help you with DORA compliance by providing expert guidance on the regulation, conducting risk assessments and gap analysis, developing and implementing incident management and business continuity plans, and providing ongoing support and monitoring.