Achieving digital operational resilience

Achieving digital operational resilience

Wed 12 May 2021

The digitalisation of banking processes and the introduction of AI-led technology impact the central and strategic role of information systems within the banking system. The growing use of information and communication technology (ICT) exposes all financial institutions to an increasing level of digital risk that could weaken their operational resilience, in particular, due to more and more sophisticated cyberattacks.

The disruption to working practices due to the pandemic has shown how cyberattacks can target internal systems through, for example, ransomware, or external infrastructures damaging interbank or online services. The increasing pooling of technical and operational resources is expanding and intensifying the impact of service deterioration or interruption, making risk management more complex.

This situation is exacerbated by outsourcing to service providers, who sometimes operate for many other institutions and thus become vectors of contamination in the event of an incident.

Acknowledging the role of sound governance

Improving operational resilience requires regulatory changes to support institutions in managing their operational risks concerning ICT. With a final version expected during the next 12 months, the European draft regulation of the Digital Operational Resilience Act (DORA) aims to improve the digital operational resilience of financial players.

Under the responsibility of the management body, the importance of sound governance is explicit in the draft regulation. The management body must ensure the effective implementation of the ICT risk management framework. In particular, it should determine the risk tolerance level of ICT risk and approve, oversee and periodically review the ICT Business Continuity Policy and ICT Disaster Recovery Plan. Approval and periodic review of audit plans covering ICT risks and approval and monitoring of ICT outsourcing contracts should also be undertaken, particularly when their conditions are changed,

The management body should also allocate and periodically review the budget to fulfil digital operational resilience needs and be informed about ICT incidents and their impact, including response, recovery and corrective measures.

A unified regulatory framework for ICT risk management

This being a draft, discussions between the various European bodies will probably lead to the publication of the final version of DORA within 12 months. However, this European Commission proposal is in line with recent publications from the EBA and EIOPA* and will contribute to the creation of a unified regulatory framework for the management of ICT risks.

This new text strengthens the account taken of the risk dimension in steering ICT risk management frameworks in financial institutions, including investment firms, and will require systemic reporting to management bodies and the regulator.

Developing an ICT risk management framework gives financial institutions the structure to manage third-party risk, including the direct oversight of ‘critical’ service providers and report major ICT incidents. Crucially, it provides the parameters for digital operational resilience testing giving financial institutions the tools to enhance their digital operational resilience.

  • * EBA/GL/2019/04 and EIOPA-BoS-20/600.