The European Union (EU) will soon launch a new regulation that will require banks and firms in the global financial industry to mature their third-party risk management programs to include set cybersecurity requirements – which will also apply to the critical Information and Communication Technology (ICT) service providers they are working with.
The timeframe for meeting compliance standards will be relatively short despite the complexity expected with the new framework. Understanding the Digital Operational Resilience Act (DORA), as well as acknowledging DORA’s roadmap and timeline, is important for all eligible firms so that CIOs, CISOs, and compliance managers can start planning immediately.
The need for unified cybersecurity standards
Although the financial resilience of organizations has recovered across the EU since 2008, ICT risk has been addressed differently by the various member states' financial supervisors. This has caused an inconsistent approach resulting in a proliferation of individual national regulatory initiatives.
In February 2020, the European Systemic Risk Board (ESRB) expressed deep concerns about the need to consolidate third-party risk management requirements in financial entities across Europe. This recommendation was sent out following a report published on cyber incidents, which identified cyber risk as being one of the sources of systemic risk to the financial system that could have serious negative consequences.
The report recognized one single event could trigger a systemic crisis threatening financial stability. As stated in a Cybersecurity Ventures report, global cybercrime costs are expected to grow by 15% per year over the next five years — reaching $10.5 trillion USD annually by 2025. Furthermore, we have been seeing an increase in the number and severity of cyber threats associated with ICT risks such as phishing, identity theft, and ransomware, which is further highlighted by vendor concentration that promotes the spread and effectiveness of cyber threats.
What does DORA mean for your organization?
DORA will specifically focus on 20 types of regulated EU financial entities. These include not only banks, credit, payment, and electronic money institutions, but also investment firms, crypto-asset service providers and many other entities working as security depositories, central counter-parties, trading venues, trade repositories, alternative investment funds and management, data reporting, insurance and reinsurance, occupational retirement pensions, credit rating, statutory auditing, or crowdfunding, among others.
Both large and small financial firms and ICT vendors will be included within DORA’s guidelines, and while some firms will face less complex guidance from the legislation, others are sure to find it more burdensome than the current requirements in place. It is also expected that future Digital Operational Resilience Act regulation will establish further levels and timeframes of application, depending on the size and/or scope of activity of each eligible firm.
Regardless of future scope and criteria, DORA will require all organizations to implement secure technologies and processes to raise overall supply chain resilience. Cyber risk management strategies and third-party risk management programs in particular need to evolve to address DORA’s five key pillars:
- Digital Operational Resilience Testing
- Information and Intelligence Sharing
- ICT Third-Party Risk Management
Despite Brexit, DORA will also align with the UK’s Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) requirements. This means that the UK-specific framework will exist in parallel with the guidelines provided by the European Supervisory Authorities (ESAs) – which are the European Banking Authority (EBA), the European Insurance and Occupational Pension Authority (EIOPA), and the European Securities and Markets Authority (ESMA).