In these uncertain times where many businesses transitioning from physical to virtual operations and everyone -or almost everyone- working remotely, financial entities have seen their dependency on Information and Communication Technologies (“ICT”) increasing.
he COVID-19 pandemic has also led to an increase in attention on the considerable business impacts that ICT risks pose. The number and aggressiveness of cyber threats have been steadily growing lately. The European Union Agency for Cybersecurity (“ENISA”) has indicated a rise in Phishing, Identity Theft, and Ransomware.
Since 2008 and following the financial crisis, the European Commission has been strengthening the financial resilience of the EU financial sector, adopting measures aimed at increasing the capital resources and liquidity of financial entities, as well as reducing market and credit risks. ICT risks were indirectly or partially addressed in an uncoordinated way from the different financial supervisors from Europe Members States. This inconstancy not only led to the proliferation of national and unharmonized regulatory initiatives but also to duplicated rules set out in the 2016 NIS directive, in particular for incident notification, security requirements and testing. In this context and after consultation, the digital finance package ,adopted on 24 September 2020 by the European Commission includes a digital finance strategy and legislative proposals on crypto-assets and digital resilience.
As a matter of fact, the Commission proposed to introduce a financial services Digital Operational Resilience Act (“DORA”) which will enable a comprehensive framework at EU level with consistent rules addressing the digital operational resilience needs of all regulated financial entities and will establish an oversight framework for critical ICT third-party providers (“CCTPs”). Many market participants will be impacted by DORA, including the traditional financial sector entities such as credit institutions, stock exchanges and clearing houses, UCITS management companies, alternative fund managers (“IFMs”), insurance companies, payment institutions, electronic money institutions, as well as crypto-asset service providers, issuers of crypto-assets and issuers of asset-referenced tokens.
A set of rules has been defined and is spread over seven sections:
• covering existing typical requirements on ICT governance and ICT risk management (Chapter II) and ICT-related incident reporting (Chapter III)
• introducing new requirements for digital testing (Chapter IV), information sharing (Chapter VI) and management of ICT third-party risks (Chapter V)
• providing financial supervisors with the tools to fulfill their mandate to contain financial instability stemming from those ICT vulnerabilities (Chapter VII).
DORA rules are also based on the principle of proportionality: while the rules cover all financial entities, their applicability will depend on the size of the entity, its activity, and overall risk it is subject to. Micro enterprises will benefit from this flexibility and will be subject to proportionate application of requirements on ICT risk management, digital resilience testing, reporting of major ICT-related incidents and oversight of critical ICT third-party service providers.
Emphasizing the importance of full responsibility management and accountability (Chapter II- art.4)
The management body is responsible for setting the tone and to enforce the definition and implementation of organizational and technical measures which enable and ensure effective and prudent management of all ICT risks. The management body should have an active role in steering the ICT risk management framework, assigning roles and responsibilities. The management body should be continuously engaged in the control of the monitoring of the ICT risk management as well as in the full range of approval and control processes and the appropriate allocation of ICT investments and training. The Members of the management body themselves should, on a regular basis, follow specific training to gain and maintain sufficient knowledge and skills to understand and assess ICT risks and their impact on the operations of the financial entity.
Enforcing ICT Risk Management requirements (Chapter II- art 5-14)
A key principle is to align financial entities’ business strategy with ICT risk management. Aligned with the joint European Supervisory Authorities (“ESAs”) technical advice, industry standards (such as NIST) or best practices, entities are required to:
- Identify, classify and document all ICT-related business functions, information assets supporting these functions, all sources of risks, and perform – at least annually - an ICT risk assessment;
- Protect and prevent ICT risks by implementing adequate technical and organizational mitigation measures ;
- Detect single points of failure and unusual activities through regular testing;
- Respond to disruption and recover from incidents by implementing respectively a dedicated and comprehensive ICT Business Continuity Policy and an ICT Disaster Recovery Plan, both maintained and tested regularly
- Learn, evolve and communicate by analyzing the root causes of incidents and the effectiveness of the protection and detection measures in place, and ensure communication plans enabling a responsible disclosure of ICT-related incidents or major vulnerabilities to clients and counterparts as well as to the public, are in place.
Improving and streamlining the ICT related incident reporting (Chapter III- art 15-20)
Financial entities shall establish and implement an ICT-related incident management process to detect, manage and notify ICT-related incidents. While incidents should be classified and assessed, only major incidents should be reported to Senior Management and to the competent authority. In this regard, reporting to the competent authority is due for:
- the initial notification, without delay, but no later than at the end of the business day, or, in case of a major ICT-related incident that took place later than 2 hours before the end of the business day, no later than 4 hours from the beginning of the next business day, or, where reporting channels are not available, as soon as they become available;
- the intermediate report, no later than 1 week after the initial notification , followed as appropriate by updated notifications every time a relevant status update is available, as well as upon a specific request of the competent authority;
- the final report, when the root cause analysis has been completed, regardless of whether or not mitigation measures have already been implemented, and when the actual impact figures are available to replace estimates, but no later than one month from the moment of sending the initial report
It is worthwhile to mention that the joint ESAs together with the ENISA and the European Central Bank (“ECB”) should establish a single EU Hub for major ICT reported incidents. This initiative aims to facilitate the flow of ICT related incidents for financial entities.
Performing digital operational resilience testing at least annually (Chapter IV- art 21-24)
DORA defines common standards for digital operational resilience testing with the objective to ensure firms are prepared when ICT related incidents happen. Beyond the traditional ICT testing techniques, the testing program should include a full range of appropriate tests, including vulnerability assessments and scans, open source analyses, network security assessments, penetration testing, and even source code reviews (where feasible).
The DORA proposal suggests and strongly recommends advanced testing of ICT tools, systems and processes based on threat led penetration testing (“TLPT”), carried out at least every 3 years. The technical standards to apply, when conducting intelligence-based penetration testing, should be developed by the joint ESAs and are likely to be aligned with the voluntary TIBER-EU developed by the ECB.
At the end of the tests, financial entities should communicate agreed reports and remediation plans to the competent authority and should confirm that penetration tests have been performed in accordance with the requirements. The competent authority, in this case, will review, validate, and issue an attestation.
Finally, the competent authority should consider proportionate application of this requirement: TLPT will be carried out in a manner proportionate to the size, scale, activity, and overall risk of the financial entity.
Bringing the CCTPs into the game (Chapter V- art 25-39)
As the overall objective of DORA is to have streamlined and effective governance, CCTPs will become subject to oversight to ensure they do not pose undue operational risks for the financial sector. While recommendations will be issued by the ESAs’ Lead Overseer to the CTPP, national competent authorities will be responsible for following them up and for taking actions against their supervised financial entities when the recommendations are not addressed by the CTPP. In such case, the proposal also gives the competent authorities the right to require the supervised financial entities to temporarily suspend their CTPP services or to terminate their contracts with that CTPP. Either EBA, ESMA, or EIOPA will be then appointed as Lead Overseer for each identified CCTP. The goal is to ensure that an adequate monitoring of the CCTP is performed but also to avoid a domino effect of the heavily interconnected financial sector. The Lead Overseer will be empowered to request all documentation, conduct inspection, obtain reports and may impose penalty payment (up to 1% of the average daily worldwide turnover of the CCTP in the preceding business year) to compel the CCTP to comply with the before mentioned points.
Aligning with the EBA, ESMA or EIOPA guidelines on outsourcing, the proposal requires harmonization of contractual arrangements in terms of establishment (e.g. audit clause, defined roles, ...), maintenance (e.g. reporting, review, ...), and termination (e.g. exit plan, data retention, …).
Encouraging information sharing (Chapter VI- art 25-39)
On a voluntary basis and after confirming their participation to their relevant competent authority, financial entities are strongly encouraged to share cyber-threat intelligence and information within a community. The goals are to enhance digital operational resilience, raise awareness in relation to cyber threats, limit or impede the cyber threats’ ability to spread, and support financial entities’ range of defensive capabilities, threat detection techniques, mitigation strategies or response and recovery stages.
Challenges come with benefits
With the adoption of this new regulation, we see strong benefits for financial entities to have a harmonized and comprehensive framework for ICT risk management, and to some extent alignment with the NIS framework. Not only will DORA bring synergies at EU level, but it will also have the merit to push for a digital single market adoption for financial services.
At EY, through our Cybersecurity and resilience services, we assist organizations in having trust in systems, design and data, so they can make transformational change and enable innovation with confidence.
On one hand, whilst the DORA brings more attention on the resilience to avoid disruption of critical functions and operations, financial entities have already implemented several ICT risks measures, and reached a certain level of maturity. As part of strategy consulting, we are supporting various actors of the financial industry in designing, implementing or assessing the effectiveness and efficiency of ITC risk programs, compliance positions and how risks are managed now and going forward (resilience).
On the flip side, managing third-party risk has become increasingly challenging, putting pressure on financial entities to account for how their third parties (CCTPs for instance) use and protect their data. As the DORA pulls into the game the CCTPs with increased scrutiny from the competent authorities, EY has developed Third-Party security Risk Management (TPRM) solutions providing a support function for management bodies to identify, evaluate, monitor and manage the risks associated with third-parties and contracts.
On 9 February 2021, the Chairs of ESAs provided their full support to such initiative which will “streamline and strengthen the existing patchwork of relevant provisions across EU financial services legislation” and enhance “collaboration and collaboration among authorities within EU and internationally”. It is likely that the DORA proposal will be discussed and negotiated by the EU Parliament and the European Council in the coming months. However, based on similar experience and proposals (such as the General Data Protection Regulation) or other financial sector files, a final act is not expected before 2023.