DORA: how to move from operational risk management to operational resilience?

DORA: how to move from operational risk management to operational resilience?

Wed 25 Oct 2023

DORA (the Digital Operational Resilience Act) is the key regulatory outlook for IT and Cyber risk between now and 2025. The European Supervisory Agencies have sought to strengthen the resilience of institutions by emphasising the need to evolve the approach to operational risk management, of which information and communication technology risks are a part. DORA strengthens the digital side of the financial sector’s operational resilience through network security measures.

This comes amid the directive and the DORA regulation being drawn up to meet three key challenges:

  1. This dependence is likely to increase with the use of technologies such as blockchain and artificial intelligence.
  2. Identified shortcomings in operational resilience, including a lack of involvement on the part of management bodies.
  3. Disparities within the EU and lack of a single legal act.

DORA should be considered a lever for harmonising national and European texts that prioritises simplification and rationalisation.

DORA scope of application

DORA applies to all players in the financial sector: asset management companies, investment firms, credit and payment institutions, account aggregators, insurance and reinsurance companies, and crypto asset service providers, according to MiCA (Markets in Crypto-Assets). It should be noted that central counterparties, trade repositories, and rating agencies will also be included in the scope of DORA. This scope will be extended beyond the financial sector, as DORA promotes the first EU-wide supervisory framework to identify and supervise critical IT service providers. These requirements will be applied proportionally according to the size and nature of the company’s activities.

DORA implementation times

The DORA regulation came into force in January 2023 and will be applicable from January 2025 by all EU member states. It aims to establish a detailed and comprehensive digital operational resilience framework for EU financial institutions. Although the text has been finalised, many are yet to be published. These include those that detail more operational and technical aspects which specify:

  • Elements to be included in IT security policies, procedures, protocols, and tools;
  • IT controls to be integrated into systems right from the design stage (security by design);
  • Incident evaluation criteria;
  • How to carry out certain intrusion tests.

The diagram below shows the various key dates in the implementation of DORA:

The five pillars of DORA

DORA identifies and proposes requirements for five key pillars of digital operational resilience that financial institutions must consider:

  1. Strengthening the IT risk management framework
  2. IT incident reporting
  3. Information sharing
  4. Digital operational resilience testing
  5. Third-party risk management

Strengthening the IT risk management framework

DORA aims to strengthen the IT risk management framework, promoting a holistic view of IT and security risks within financial institutions. This is the backbone of DORA which lays down the fundamental principle of full responsibility, for the aim is to ensure that management and supervisory bodies are involved in the management of IT-related risks. This has been translated into specific requirements:

  • Appropriate level of tolerance to IT-related risks;
  • IT business continuity policy;
  • Disaster recovery plan;
  • Investment in IT;
  • Training for members of the management body;
  • Formalised digital operational resilience strategy.

It also reaffirms the principle of the three lines of defence within which the pillars of operational resilience must be developed. DORA reinforces existing governance and risk management rules but requires breaking down silos to foster digital operational resilience. The management body must have IT and cyber risk expertise. These requirements will facilitate improving the human capital of financial entities by setting up a training program for members of management bodies and awareness-raising initiatives.

IT incident notification

DORA harmonises the management of IT incidents, particularly those with the greatest impact, by defining a framework structured around four main stages:

The first two stages are generally in place, in line with ITIL (the Information Technology Infrastructure Library) or COBIT (Control Objectives for Information and Related Technologies) best practices. DORA sets out the main areas of analysis for qualification:

  • The number of users or financial counterparties affected;
  • The duration of the incident, including service interruption;
  • Geographical distribution and areas affected, particularly if more than two Member States are involved;
  • Loss of data, such as loss of integrity, confidentiality, or availability;
  • The severity of the incident’s effects and the criticality of the services affected;
  • Economic consequences, in absolute and relative terms.

Notification to the authorities concerns only major incidents for which a harmonised nomenclature will be published in the RTS. A dedicated file will be formalised according to a strict timetable (one day, one week, and one month after the incident). The asset management sector has not been spared the risk of cyber-attacks.

In fact, the AMF (French Financial Market Authority) has recorded some twenty incidents since 2020 (Société du Grand Paris scope), with recurring attack patterns such as misappropriation of individual authenticators, impersonation of corporate bodies or individuals, disclosure of specific professional or personal information, or intrusion into the information system.

Information sharing

Article 40 provides for the possibility of sharing information on defence systems and threats between financial entities, on a voluntary basis.

Considering the potentially sensitive nature of the information shared, exchanges are governed by rules of conduct that fully respect business confidentiality, personal data protection, and competition policy guidelines. Here, the regulator emphasises the importance of organising and sharing information between players to strengthen the sector’s overall resilience.

Digital operational resilience testing

DORA brings together the major resilience principles set out in the latest European and sector-specific texts and is thus positioned as an ‘umbrella’ text. It is not an overlay, but rather a consolidation of systems that meet different requirements. DORA offers a holistic vision of the risks, or threats, that can affect resilience, whether they be IT, cyber or physical. This requires the definition of a global resolution strategy of tests according to the different threat scenarios defined by the entity. A robust and comprehensive program of digital operational resilience testing must be developed and conducted. The principle of proportionality applies to the requirements for conducting resilience tests according to the size, activity, and risk profile of entities.

Third-party risk management

DORA lays down the principles for managing the relationship with the service providers throughout the life of the contract from conclusion, execution, termination, and post-contract, in line with the EBA’s (European Banking Authority) guidelines on outsourcing. It also provides for the creation of an EU-wide supervisory framework to identify critical service providers. Each service provider will be supervised by a supervisory authority. This authority will be able to sanction service providers, notably through financial penalties.

Authorities will have to annually draw up, update, and publish a list of critical IT service providers in the EU, with cloud providers receiving special attention from the regulator.

Points of attention for ManCos

Cyber SPOT checks carried out at management compagnies (ManCos) in 2019 and 2020 revealed several weaknesses:

  • Failure to identify critical assets in advance, leading to a false sense of security;
  • Tested business continuity plan but omitted data restoration component;
  • Inadequate management and control of critical IT suppliers;
  • Persistent security flaws (no locking of USB peripherals, unencrypted workstations).

The summary of the AMF’s SPOT controls also shows that the growing sophistication of the attacks reflects hackers’ perfect mastery of data exchange flows between ManCos and their external service providers. DORA should help strengthen IT risk management and operational resilience.

How to prepare for DORA

Many elements remain to be specified in the next RTS and ITS. However, work should start immediately to diagnose the existing situation and assess the workload and the IT, human process, and training impacts required to spread a genuine culture of operational resilience. As such, we believe that projects should be managed in four key stages:

DORA will come into force at the beginning of 2025. The work initiated by certain banks and insurance companies shows that the text covers numerous cross-functional themes and represents a significant workload. The key factors for its success include:

  • Raising awareness and obtain the support of the Group’s or entity’s top management;
  • Defining a global resilience strategy;
  • Develop and disseminate an IT risk culture;
  • Integrating IT risk into the company’s Risk Appetite Framework;
  • Having a holistic view of current and forthcoming regulations, thanks to the implementation of a regulatory watch.