On January 16th 2023, the European Union (EU) regulatory framework entitled the Digital Operational Resilience Act (DORA) came into place. The rules and policies laid out within the Act will apply for financial services firms from January 17th 2025.
James Greenway, Business Development Director at Portfolio BI explores DORA in further detail and outlines what the new legislation will mean for firms operating in the alternative investment space.
What is DORA?
DORA was created by the EU with the intention of improving the way that financial institutions manage data, so that they are more resilient against ransomware and other cybersecurity threats.
Prior to DORA, financial firms were only required to manage operational risk in terms of capital. However, this does not include the components of digital risk that firms can face. DORA specifically recognises the capacity for a cyber-attack to jeopardise the soundness of a company’s entire technical framework. As firms operate in an increasingly digital space, the EU designed the rules laid out in DORA to be specifically related to ICT incidents.
These include the protection, detection, containment, recovery and repair of operational capabilities. The new legislation explicitly refers to the importance of managing ICT risk management, incident reporting, resilience testing on operational structures and how a company manages third party risk.
The five pillars of DORA are:
– Information and communications technology (ICT) risk management,
– Third-party risk management,
– Incident reporting,
– Digital operational resilience testing, and
– Information sharing.
The five pillars arguably makes the legislation one of the most far-reaching pieces of regulation enacted, meaning a significant change in approach for some firms .
The UK leads the way
The FCA and the PRA set out their operational resilience policy in March 2021 so have been leading the way in these matters for some time. As early as 2022, they issued a UK bank with a £60M fine following an operational resilience incident. DORA continues to build on this framework in the sense that it is also aimed at managing systematic risks posed by “critical third parties”.
Operational resilience as a key business priority in 2024
With both the EU and FCA focussing on operational resilience, firms need to ensure that they are ready for the regulatory demands set out by both regulators. We are already over one year into the DORA’s two year transition period. With this in mind, 2024 will be a year whereby firms need to prepare and implement adequate changes to their operational and regulatory reporting structures to ensure they are compliant with EU law.
How can firms prepare for DORA?
Whilst preparing for DORA can seem like an overwhelming task, there are several things that firms should be considering as part of their preparation for the Act’s implementation. These include:
– Carrying out an assessment of suppliers and providers in your business model which could have impact on your BAU.
– Running a detailed risk assessment, documenting operational and technology factors which have impact on your ability to adhere to DORA and how this could affect underlying clients.
– Considering the role of technology within your firm’s infrastructure, with required regular and ad-hoc auditing of your workflow to capture risk factors.
While DORA does not require you to establish a better technology footprint internally, having the technology to assist with the considerations above would be best practice and help reduce costs in the medium/long term.
At Portfolio BI, we work with clients globally and have an innate understanding of different market regulatory frameworks and changes. Our software supports our client’s business needs, whilst enhancing their operational resilience and ensuring they remain compliant from a regulatory perspective. If you would like to learn more about how we can support you with implementing changes set out in DORA, contact us today.
References
https://www.bankofengland.co.uk/news/2022/december/tsb-fined-for-operational-resilience-failings