Recently tested by the COVID-19 pandemic, resilience, in the face of cyberattacks and other hazards, continues to be a focal point of the financial services sector (Sector). While the industry has performed remarkably well through this pandemic, this event provided an opportunity for firms to identify ways to make their operations more resilient. New/emerging technology (e.g., cloud, DLT, AI) has the potential to provide the fuel needed to accelerate a firm’s operational resilience. This new technology may be in the form of partnerships with market entrants (e.g., FinTech), outsourcing of certain services to Information and Communication Technology (ICT) providers, or through the adoption of this technology by the firm itself.
The prevalence of this technology in the Sector has rightfully attracted increased supervisory scrutiny. The European Union (EU) has long considered the potential impacts of financial digitalization on operational resilience and how the introduction of new/emerging technology may alter the provision of financial services in the future. Recognizing the need to balance the potential introduction of new and unknown risks against the opportunity for innovation, the European Commission (EC) drafted the Digital Operational Resilience Act (DORA) as part of a larger Digital Finance package, which was designed to lay the foundation for EU Member States to promote safety and soundness across the Sector as well as financial services innovation. DORA looks to provide consistency and to harmonize the digital operational resilience requirements across the EU Member States, with the goal of reducing the administrative burden for firms and strengthening supervisory effectiveness.
UNDERSTANDING THE RISKS
The DORA framework seeks to address the following risk areas:
Third Party / Outsourcing Risks – Firms continue to expand the use of external parties to deliver products and services, which increases the attack surface area and the need for firms to understand and validate the resilience of these external parties.
ICT risks – The EU Member States have numerous regulatory initiatives and supervisory approaches to manage cyber risks which have resulted in inconsistencies that increase administrative and compliance costs without significant gains in managing this risk. DORA seeks to create consistency in certain ICT risk management areas which may lead to better ICT risk management for financial firms.
Incident Reporting – Financial institutions have long been required to report operational events to supervisory authorities as part of their regulatory obligations. Unfortunately, divergent national and sectoral approaches to this reporting has limited the value of information on the current and emerging threat environment. When reporting requirements align within and across jurisdictions, regulators are better able to detect and mitigate systemic risk. Further, divergent reporting requirements increases the compliance burden on firms with little commiserate benefit across borders.
NEW OVERSIGHT FRAMEWORK
DORA is currently sitting with the European Parliament where it will undergo additional scrutiny by the different Member State representatives, which will likely change the initial EC proposal. While DORA will go a long way in creating a Single Rulebook in this space, certain factors should be considered when addressing the aforementioned risks.
Third Party Outsourcing Risk Management
The financial services industry uses a range of critical service providers ranging from highly regulated financial institutions to small, unregulated fintech firms. While DORA is considering a framework focused on ICT providers, this limited scope may leave other non-regulated, non-ICT providers outside of the regulatory umbrella, which could lead to the development of additional frameworks that could introduce operational complexities and additional compliance burdens. A potential long-term solution could be the development of a single third party oversight framework that allows for the management of third party risks based on its market and consumer impacts. This approach may allow greater flexibility to expand or contract the framework as new technology and market entrants develop.
There are scores of incident reporting frameworks, each with different reporting time frames, reporting templates and information requested. For firms that operate across Member States, the different permutations of reporting requirements complicate their ability to both meet their compliance objectives while addressing the incident. Further, the diverse reporting requirements complicate a supervisory authority’s ability to have a clear picture of the threat landscape and its ability to share information with firms about new/emerging risks. DORA proposes to streamline this reporting through one reporting framework. This would not only assist reporting firms, but also would improve the visibility of new/emerging threats across the Sector, which, in turn, enhances supervisory oversight while raising the level of preparedness of all firms.
Firms are required to develop and maintain systems and applications that minimize the impacts of ICT risks, implement preventative measures to guard against ICT risks, and detect/respond to ICT events. Supervisory rules and guidance across the EU Member States vary in both granularity of ICT risk requirements and the ICT risk areas covered, which makes it challenging to meet all the rules in a manner that is cost effective and best utilizes the limited skill availability in the marketplace. Further, these differences require firms to either develop separate risk management programs for the different Member States in which they operate or select the most stringent of each requirement to meet compliance obligations. This impact could unintentionally disincentive firms from offering valuable services across Member States as a firm may elect to operate in a limited number of states to avoid the additional operational complexity and costs associated with monitoring the requirements of numerous jurisdictions. Though DORA attempts to address many of the challenges created by the divergent national and sectoral approaches to managing ICT risks, it is important that the framework remains flexible enough to manage future risks and that it provides proportionality both for the range of firms it covers and the external providers it will impact.
DORA is a major step in the right direction that will likely benefit both firms and supervisory authorities. The aforementioned recommendations may serve to assist the European Parliament and European Commission in further strengthening this legislation and create consistency across the European Union.