In the ever-shifting landscape of financial regulations, the European Union has introduced the Digital Operational Resilience Act (DORA) – a comprehensive framework addressing the digital risks faced by the European Financial Services Sector. Its aim is to ensure the integrity and availability of the financial sector. Let’s delve into the key components of DORA, focusing on its four pillars: ICT risk management, incident management, third-party risk management, TLPT testing.

ICT risk management: Strengthening the digital ramparts
DORA’s first pillar, ICT risk management, outlines the need for financial institutions to fortify their digital defences. It emphasises not just the standard cybersecurity measures but also robust administrative procedures, internal controls, and risk assessments. In simpler terms, it’s about ensuring the digital infrastructure is solid, secure, and resilient against potential threats.

In an interconnected financial world, where borders are porous, DORA sets a precedent for cybersecurity practices

The objective of this pillar is to create a level playing field with minimum level of ICT risk management, and consistency across all in scope entities. The impact on FS entities will be felt hardest by those firms that manage ICT risk inconsistently today for example have grown by acquisition or are domiciled in different European member states with inconsistent treatment across the group or third party providers that were not previously subject to robust risk management rules.

The management of cyber risk overlap with activities within cyber defence, in a number of organisations (and ‘best practice’), is for cyber risk to inform the investment within cyber defence. Assessing cyber risk following the new rules has led to the need to rapidly mature the capabilities in cyber defence.

Incident management: Navigating digital turbulence
Incident management, the second pillar, mandates a swift and organised response to any digital incidents. Financial entities are required to report incidents consistently and aligned with the seven classifications detailed in the legislation, proposed in the draft RTS (technical standard) and promptly, fostering a culture of transparency and learning from each disruption. It’s not just about addressing the immediate challenges but also about building resilience through experience.

Firms will need to update their SOPs and the systems for detection, management and resolution of incidents include operational reviews, system evaluations, training, frequent audits, and regular repetitional risk assessment due to the additional disclosures – this may also require regular updates of competitive positioning. Additional resources will be required for development, implementation, and regular auditing. It should not be forgotten that these procedures and their oversight need integration with other managerial tasks, which will add to operational complexity.

Third-party risk management: Safeguarding digital collaborations
The third pillar focuses on third-party risk management, acknowledging the interconnected nature of the financial ecosystem. It designates competent authorities as overseers, ensuring that external service providers don’t become weak links in the digital chain. This pillar aims to prevent unforeseen risks stemming from dependencies on external entities and is enlarging the scope of previous regulation on outsourcing. The expectation is the FS entity becomes responsible for the management of ICT by their digital supply chain; ‘back-to-backing’ their obligations in contracts with third party suppliers.

Not only does this require changes within procurement, but breaches of sub-contracted legal obligations become the responsibility of the FS entity (as they are still accountable, you cannot contract away a compliance obligation). This will require FS firms to be more prescriptive with suppliers around their risk management approach and will require reviews and audits by the FS firm.

TLPT (Threat-led Penetration Testing): Ethical hacking for digital preparedness
TLPT, the fourth pillar, applicable to introduces a pragmatic approach to cybersecurity. Threat-led Penetration Testing, will be based on the guidance of TIBER-EU (Threat Intelligence Based Ethical Red Teaming) where it has been implemented involves ethical hackers simulating cyber-attacks across the whole attack surface of systemically important FS institutions. This isn’t just a compliance measure but a proactive strategy to identify and rectify vulnerabilities, making financial entities more robust against potential threats. TLPT exercises need to be seen as an exercise to strengthen the overall resiliency posture more than as an audit exercise; by coupling with cyber crisis simulation will create a sort of muscular memory in the c-suite and board in order to be prepare to the unprepared in case of real attacks and ransomware.

Transparent governance in the digital age
Accountability and reporting is one cornerstone principle, emphasising the importance of transparent governance. Financial entities are not only accountable to regulators, but also to their internal boards of directors. This principle necessitates the establishment of a robust reporting structure, ensuring that all stakeholders are informed about the institution’s digital resilience measures. This means that there is a consistent approach with internal accountability being first or second line of defence. The important principle is to avoid siloing the different requirements implementation and instead keeping a comprehensive and consistent approach.

IT failure or cyber events have a real impact on firms’ ability to operate

The executive board, inclusive of the Chief Executive Officer, are required to possess the requisite expertise and competencies to effectively evaluate the looming threat of cybersecurity risks. This includes the ability to critically review security proposals, engage in constructive discourse on various activities, formulate informed perspectives, and appraise policies and solutions that safeguard the resources of their establishment.

This builds on the requirements of the NIS 2 Directive which requires appropriate training for management on cyber and cyber risk oversight, and improvements to the compliance framework forming part of corporate governance which when combined with the incident reporting obligations to management puts responsibility for the cyber risk squarely on the shoulders of the board and executive management.

Because DORA is principle based it is required that each financial institution will set up a good governance model that will be able to keep pace with new threats and countermeasures (emerging threats such as Post Quantum Cryptography and Gen AI could be two good examples). This requires a paradigm shift from current isolated risk management practices to using an Integrated Risk Management (IRM) approach. Integration in this context is two-fold; (1) viewing digital risk in conjunction with other risks, and (2) linking risk management directly with cyber operations and using ‘assets’ serving as the backbone. Financial institutions need to move away from siloed risk management and embrace an integrated strategy that considers the interconnected nature of risks.

Changing the approach: Assets as the backbone
Management need to combine their role as stewards of the company’s financial assets and oversight of risk management. IT is the key element of most business capabilities, IT failure or cyber events have a real impact on firms’ ability to operate. IT assets need to protected, and understood as much as business ones.

IT assets need to become the cornerstone of the integration of business capability and effective IT management. Financial institutions must identify and prioritise their critical assets, understanding how digital risks can impact them. Critical assets support critical business capabilities and processes. This asset-centric approach allows for a more nuanced understanding of risk, enabling proactive measures to protect vital components of the institution. And to do that, the need for an automated and integrated solution is necessary to run an efficient model and get as an additional value the possibility to automatise processes and gain further efficiency.

Global implications: DORA’s ripple effect
While DORA is an EU regulation, its principles resonate globally. In an interconnected financial world, where borders are porous, DORA sets a precedent for cybersecurity practices. Its influence extends beyond the EU, shaping the global approach to digital operational resilience and integrated risk management.

Decoding the DORA narrative
In conclusion, DORA is not just another set of rules; it’s a narrative shaping the digital future of finance. It’s a pragmatic guide for financial entities to navigate the complexities of the digital realm.

Care should be taken to ensure that DORA is not treated like just another regulation that requires a ‘typical’ regulatory change management approach – identify obligations, update policies, confirm controls and then test. It requires a significant maturing of cyber defence as well as cyber risk management capabilities, both having active and directive support of management.

For the smaller firm, this will require transformation of a traditionally underinvested area. Management will need to be upskilled and provided with information contextualised in such a way that decisions can be readily and rapidly made. Making cybersecurity relevant for business management has been the challenge for the industry, now it is crucial for firms to be able to comply with NIS 2 and DORA.

As the financial landscape evolves, DORA remains a relevant script, encouraging entities to embrace resilience, minimise disruptions, and thrive in the ever-changing digital narrative. With accountability and reporting at its core, DORA ensures that financial institutions not only comply with regulations, but also actively work towards building a resilient, integrated, and secure digital future.