The European Union’s Digital Operational Resilience Act (DORA), announced in September 2020, is set to usher in a new era of cybersecurity management for financial organizations. As cybersecurity threats continue to evolve, the EU has responded with DORA to bolster digital operational resilience and ensure that financial entities are well-equipped to handle cyber risks, especially those involving third parties.
Under DORA, financial entities in the EU will be obligated to establish and maintain robust cybersecurity risk management frameworks. These regulations will require organizations to conduct regular risk assessments, implement rigorous testing, and maintain incident response capabilities. The focus is not only on internal risks but extends to third-party cyber risk as well, which is often an overlooked aspect of cybersecurity.
Organizations impacted by DORA include a wide range of financial entities operating in the EU, from banks, stock exchanges, credit institutions, insurance firms, to investment companies. Essentially, any organization that falls under the scope of the EU’s financial services regulations will be required to comply with DORA. Jump ahead to read how FortifyData helps companies comply with DORA regulations.
Organizations must comply by January 17, 2025; however, the implementation period has begun, providing a limited window for organizations to adapt to these comprehensive changes.
The DORA regulations outline a set of robust rules “addressing the digital operational resilience needs of all regulated financial entities and establishing an Oversight framework for critical Information and Communication Technologies (ICT) third-party providers.”
Let’s take a closer look at some of the key requirements under DORA:
One crucial aspect of DORA revolves around managing third-party risks, as an example the ICT service providers supporting financial institutions. Organizations are increasingly reliant on vendors, suppliers, and service providers, making it essential to ensure that data processed by third parties remains secure.
The regulation requires that entities must manage these (third-party) risks within their overall ICT risk management framework, considering the scale, complexity, and importance of ICT-related dependencies, and the risks stemming from contracts with ICT service providers. A comprehensive and regularly updated strategy on ICT third-party risk management, inclusive of a policy on the use of third-party ICT services, is necessary. Furthermore, they must maintain a well-documented and updated register of all contractual arrangements for ICT services, which can be made available to competent authorities. Contracts can only be concluded with ICT third-party service providers adhering to high information security standards, with the entities ensuring their right to audit these providers. Exit strategies (or offboarding) should be established to mitigate potential risks at the provider level, and clear contract terms must be defined. The European Supervisory Authorities (ESAs) will develop technical standards for the Register of Information and regulatory standards for the use of third-party ICT services.
A regulatory framework is outlined for overseeing critical ICT third-party service providers, with the ESAs identifying these based on factors such as potential systemic impact and importance to financial entities. The ESAs will also appoint a Lead Overseer for each provider and create the Oversight Forum to discuss ICT risks and promote a consistent risk monitoring approach. The Lead Overseer’s responsibilities include assessing each provider’s ability to manage ICT risks posed to financial entities, considering factors like ICT requirements, physical security, and adherence to relevant standards. They have the power to request all relevant information, conduct investigations, and make recommendations on various issues. Non-compliance with the Lead Overseer may lead to penalties. The Lead Overseer is also allowed to conduct on-site inspections and investigations, with the provider expected to comply. Ongoing oversight is facilitated by an examination team for each ICT provider, and after an investigation, the Lead Overseer issues recommendations to the ICT provider. ESAs are mandated to charge fees to ICT providers to cover oversight tasks, and international cooperation is emphasized to manage ICT third-party risks.
The increased emphasis on third-party cyber risk management under DORA is significant. Many financial organizations rely heavily on third-party vendors for various aspects of their operations. While these relationships can provide numerous benefits, they also introduce potential cyber risks. If a third-party vendor suffers a security breach, the impact can quickly cascade to the organizations relying on their services.
That’s where a platform like FortifyData comes into play. As a comprehensive cyber risk management platform that addresses both enterprise risk management and third-party risk mangement, FortifyData can help organizations meet the rigorous standards set by DORA, particularly with respect to third-party cyber risk management.
FortifyData allows organizations to monitor their third-party vendors continuously, offering real-time visibility into cyber risks. With this platform, organizations can conduct in-depth cyber risk assessments of their vendors, including questionnaire management that correlates the technical findings to applicable technical control questions on the questionnaire. This is known as auto-validation of a questionnaire and can quickly highlight discrepancies between recipient responses and technology findings. This helps ensure third parties (service providers) meet the stringent requirements set by DORA. FortifyData has a DORA questionnaire under development that will be available before the DORA compliance deadline goes into effect. FortifyData’s platform is designed to identify vulnerabilities, assess potential threats, and provide actionable insights to mitigate risks. Additionally, client organization’s subject to DORA can have a score that is impacted by third-party risk (as part of their overall security rating score) AND client organizations can setup specific security ratings scores for each specific vendor or groups of vendors for continuous monitoring of the third-party risk to the client organization. Clients can then choose to use the report that FortifyData has for the third parties to send to regulators for review.
Moreover, FortifyData aids in ensuring compliance with DORA’s regulations for regular risk assessments and rigorous testing. It offers a risk scoring system that quantifies cyber risk, taking into account various factors such as the likelihood of a cyber-attack and the potential impact. This scoring system allows organizations to prioritize their risk mitigation efforts effectively, aligning with DORA’s requirements for a risk-based approach to cybersecurity.
The EU’s Digital Operational Resilience Act (DORA) presents a new set of challenges for financial organizations in the realm of cybersecurity. However, with the right tools, organizations can navigate these changes and ensure compliance. FortifyData, with its comprehensive cyber risk management capabilities, stands out as an invaluable ally in this journey. By providing continuous monitoring of third-party cyber risks, in-depth risk assessments, and robust incident response capabilities, FortifyData can help organizations meet the rigorous standards set by DORA and fortify their digital operational resilience.