With less than a year until the European Union’s Digital Operational Resilience Act (DORA) takes effect, financial organizations must prepare to comply with this landmark regulation.
By January 2025, financial institutions operating in the EU will be required to adhere to strict standards for cyber risk management, cyber incident reporting, cyber resilience testing and more.
While DORA will standardize cybersecurity controls across all EU members, its impact will have global relevance, states Jason Harrell, managing director of operational and technology risk at the New York City-based Depository Trust & Clearing Corporation (DTCC), leading the firm’s global advocacy and engagement for cybersecurity and cyber resilience, new and emerging technology, and outsourcing/third-party risk management.
In fact, the industry insider thinks “the global repercussions of DORA’s implementation should not be overlooked,” as other jurisdictions and regulators may follow the European framework in the years to come.
Challenges
As organizations gear up to achieve DORA compliance, they may encounter several challenges, Harrell wrote in recent analysis.
“First, with many financial institutions relying on numerous third-party providers, DORA will set out more detailed requirements for the management of outsourced services,” he said.
These new requirements will cover a service provider’s entire life cycle, from pre-contract negotiations to ceasing partnerships.
“Specifically, it is critically important for firms to proactively review the resilience of their information and communication technology (ICT) third-party service providers and monitor external risks,” Harrell observed.
To ensure compliance, financial institutions will have to collectively push compliance with their third-party providers while ensuring minimal disruption to their day-to-day operations.
To achieve this, firms must have plans in place allowing for the continuation of their services should some third parties be unable to achieve this compliance, Harrell continued.
“These plans could include the smooth transition of technology services to new providers or bringing these services back in-house.”
Compliance
Harrell strongly believes that compliance with DORA will depend on organizations’ ability to identify and document their critical ICT business functions, information assets, roles and dependencies as part of a comprehensive cyber resilience framework.
“This could be difficult for some firms, especially those with complex ICT systems or extensive reliance on outsourcing,” he said.
Even though most organizations already have existing cyber risk management programs in place, firms will need to ensure these programs align with DORA’s requirements,” Harrell added.
“As a starting point, organizations should perform a gap analysis to identify areas that require prioritization.”
Despite these challenges, Harrell does think DORA presents “numerous opportunities” for financial services organisations to continue to raise their cyber resilience capabilities and standards.
He singled out that “DORA encourages collaboration between financial institutions by placing emphasis on information-sharing of cyber threat intelligence, enabling firms to adapt their defences to better respond to threats.”
“Beyond serving as a blueprint, DORA may set a precedent for other jurisdictions.”
– Jason Harrell
Additionally, DORA provides a unified cyber incident reporting approach that may allow for better correlation of cyber incident information, Harrell noted.
“This information can be used to inform the financial services sector of changing and evolving cyber threats, enhancing transparency and trust across the European financial sector.”
Furthermore, DORA presents an opportunity to drive innovation through the adoption of newer, more efficient technologies and practices, ultimately increasing operational efficiency, lowering costs, and enabling financial institutions to be better positioned to adjust to the rapidly evolving digital landscape.
“Beyond serving as a blueprint for harmonising the supervision of ICT and cyber threats within the EU, DORA may set a precedent for other jurisdictions,” Harrell said.
By further streamlining deviations from their cyber risk management frameworks, DORA could “simplify regulatory complexity for multinational institutions,” he shared.
DORA also seeks to address the burdens associated with diverging cyber risk management rules across the EU that apply to financial institutions.
Therefore, “the global repercussions of DORA’s implementation should not be overlooked,” Harrell said in summary.
Due to the financial sector’s interconnected nature, financial authorities could adopt similar measures to coordinate their approach to managing cyber risk across jurisdictions.
“This regulatory coordination could lead to a more consistent, robust and resilient global financial system, reducing vulnerabilities and enhancing overall stability,” he said.
“DORA’s principles and practices may serve as a template for future global regulatory frameworks, highlighting the importance of a structured approach and collaboration to address cybersecurity on a global scale,” Harrell concluded.
UPCOMING QA FINANCIAL EVENT
REGISTRATION IS NOW OPEN FOR THE QA FINANCIAL FORUM SINGAPORE 2024
Test automation, data and software risk management in the era of AI
The QA Financial Forum launches in Singapore on November 6th, 2024, at the Tanglin club.
An invited audience of DevOps, testing and quality engineering leaders from financial firms will hear presentations from expert speakers.
Delegate places are free for employees of banks, insurance companies, capital market firms and trading venues.
READ MORE
- Cognizant drags rival Infosys to court over trade secrets
- Testaify claims tool is ‘100x faster than seasoned QA architect’
- Fast-growing Newgen sets sights on banks in Middle East
- ABN Amro hires nCino and CBA for digital upgrade
- QAFF London: Lloyds’ Richard Bishop on the rise of ‘green software’
Become a QA Financial subscriber – for FREE
News and interviews * Receive our weekly newsletter * Get priority invitations to our Forum events