What the Digital Operational Resilience Act means for third party ICT providers

Transcript

DORA, the Digital Operational Resilience Act, regulates how financial services providers manage their ICT risks. But those risks are not necessary wholly contained within the financial institutions – but can be found throughout the supply chain, in third and even fourth parties that provide and support ICT services. Fabio Colombo, Global Financial Services Security Lead for Accenture explains what ICT services providers need to know, and how to start getting to grips with their new responsibilities and obligations.

Watch more videos from this interview: What the Digital Operational Resilience Act means for board members and CEOs, and Finding DORA: How financial institutions must develop digital operational resilience

World Finance: I’m with Fabio Colombo from Accenture, and we are discussing the Digital Operational Resilience Act – which, although targeted at financial services companies, Fabio, has a broader impact, particularly on ICT providers?

Fabio Colombo: Yeah, ICT providers are one of the, say, big topics for this regulation, because ICT risk is not only in the financial institution, but is in the supply chain and the broader third and fourth parties that support these type of services.

So the idea is to have all these parties in scope of the regulation.

World Finance: So what does DORA mean for ICT providers, what do they need to know?

Fabio Colombo: It’s not something really different, there are already regulations from ECB in terms of how you need to manage these types of outsourcings. But it’s wider in scope.

So for an ICT provider, they will have an obligation in terms of the type of information that they need to give to the financial institution. They will also need to gather information from their suppliers – so what we call fourth parties – to be sure that you don’t have weak chain in your supply chain.

This will be a sort of, new golden rule for the financial institutions. So please expect banks and financial institutions will ask you: what are you doing to comply with DORA?

It’s not a certification, but if you think of DORA in terms of a new level of good practice, good management. By being compliant with DORA, I will be chosen as one of the best ICT providers, because by doing that I will set up good rules in terms of consistently going to reduce risk and to increase cyber and operational resilience in the market.

World Finance: Accenture is one such provider; what are you doing? How are you preparing?

Fabio Colombo: Yes, we are preparing with an internal project – we started some months ago.

We studied the DORA regulation, the LTS, the ITS, did a gap analysis because we already have a good set of standards and procedures. But we need to understand if there is any gap or any good practice that we need to put in place.

We need to understand if there are new obligations that we need to put in place in our contractual agreements, both with subcontractors and with the financial institutions.

So it’s a complex project but we started in the right timeframe, and now we have one year in terms of putting in place the right additional countermeasures to comply with this complex regulation.