What the Digital Operational Resilience Act means for board members and CEOs

Accountability for DORA and ICT risk in financial institutions starts with the board and CEO, explains Fabio Colombo

February 21, 2024

In our recent report, Decoding DORA, Accenture’s Fabio Colombo explains that “the executive board, inclusive of the Chief Executive Officer, are required to possess the requisite expertise and competencies to effectively evaluate the looming threat of cybersecurity risks.” In this video he explains why this is so important, and the kinds of training that will be necessary for CEOs and board members to properly engage and comply with the regulation.

Watch more videos from this interview: Finding DORA: How financial institutions must develop digital operational resilience, and What the Digital Operational Resilience Act means for third party ICT providers

World Finance: I wanted to pick up on what DORA means for executive board members and CEOs, who need to be able to make good judgements about managing these changing risks. Can you speak to the training that’s needed?

Fabio Colombo: Yes – one goal of the regulation is to bring enough level of accountability in the financial institution. So starting with the board of directors, down to the CEO and then to the c-suite.

Because IT is evolving and technology is evolving so quickly. The problem is more difficult to manage for the board, for the risk officer. This is why the board of directors and c-suite and the CEO need to be trained. Need to be exercised. In order to manage cyber crisis.

So it’s not only training by studying content, it’s not only an awareness. But it’s a sort of muscular memory, that you need to exercise. And you can do that by having these two different forms of exercise. One is tabletop exercise, simulating a crisis that is started as a cyber incident, and the second one is by participating as the white team in the threat-led penetration testing that is a pillar of DORA regulation.