1. ICT risk management framework
The required ICT risk management framework is a major part of DORA. The framework should be comprehensive, consisting of several requirements on how to manage digital risks according to a set risk profile. An ICT risk management framework was required by the ICT guidelines, however, a higher degree of freedom was given in the design of the framework. The risk management framework described in DORA sets high requirements on both the content of the framework as well as the processes of Identification, Protection & Prevention, Detection and Response and Recovery of risk akin to the NIST framework commonly used in the US.
This structure of risk management is proven to be a successful one and FCG believes the proposed transition will significantly enhance the financial sector’s ability to manage digital risks. However, depending on your approach to risk management, transitioning to the required framework may prove a challenge.
2. Digital operational resilience strategy
DORA requires financial entities to establish a digital operational resilience strategy describing how the ICT risk management framework should be implemented and developed. Designed as a company-wide strategy, supporting the business objectives, the strategy is to include methods on how to address ICT risks and attain ICT objectives including the perspective of ICT third parties. Previously required by the ICT guidelines too, DORA’s is comparably more extensive.
3. Classification and reporting of major ICT-related incidents
DORA outlines the required incident management process and will require financial entities to classify and give detailed reports on major ICT-related incidents to a competent authority, namely the local FSA. In this sense competent authorities will have a more prominent role in surveilling how financial institutions manage incidents. This is an affirmed area where technical standards for the classifying and reporting of incidents will be released to assist financial institutions and harmonize the provided reports from institutions.
Transitioning to a more standardized way of incident management and reporting may prove difficult depending on your company’s current incident management process. However, the benefit will be that you are going to be provided with direct feedback on your incident management as well as guidance on how to manage incidents other entities may previously have encountered. Furthermore, the adverse impact incidents may have on the finance sector can be collectively mitigated in a new collaborative manner.
4. Increased requirements on digital operational resilience testing
DORA requires the establishment of a digital operational resilience testing program appropriate to the scale and complexity of the business and consist of a wide range of tests. DORA requires increased focus on which tests should be performed and how. Most notably, all financial entities, other than micro-enterprises, are required to perform threat-based penetration testing by independent, reputable and credited parties. If you do not have outsourced penetration testing today, this is something you will have to perform in the future.
5. Management of ICT third parties
The management and handling of ICT third-party vendors is arguably the area where DORA differs the most from the ICT guidelines, adding several requirements. Most prominent is the new focus on minimizing concentration risks and undue dependence on critical ICT third parties. The DORA introduces detailed requirements on i) the assessment and implementation of a multi-vendor strategy, ii) pre-assessments related to concentration risks, iii) assurance that the vendors comply with high and appropriate information security standards, and iv) assurance that the parties are easily substitutable and that exit-strategies exists for each vendor.
DORA provides the European authorities with wide-spread responsibility and jurisdiction to govern financial institutions’ management and choice of ICT third parties as well as oversee ICT third parties themselves.
To conclude, the areas presented in DORA are more focused on the governance and process for achieving digital operational resilience. The main challenge for financial companies is to adopt to the DORA legislation and reach digital resilience while enhancing its core business. FCG believe that any corporation accustomed to the ICT guidelines will have a head start. Taking the right steps will let you achieve a robust digital resilience.
FCG help you navigate
We are committed to delivering in-depth expertise and pro-active advice to our clients. Our teams have assisted numerous financial service entities adhering to the EBA, EIOPA ICT and security risk management regulations and prepared for the introduction of DORA. Furthermore, we have assisted third-party providers with DORA adoptions. We believe that if the financial institutions adhere to the EBA or EIOPA regulation, a lot of work towards DORA adherence has already been made, but adjustments will be needed once the final DORA text will be made public. However, for the firms that are not under the EBA or EIOPA regulation, significant efforts will have to be made to comply with DORA.
Want to find out how FCG can help you?
Partner Operational risk/ICT
Partner & Head of Norway
Partner Operational risk/ICT