Financial Services Ireland

INSIGHTS

Digital Operational Resilience

Read more


Resilience

The term “resilience” has been a much-used buzzword on the strategic radar of firms for some time now. Since March 2020, however, resiliency has moved from just the boardroom to the war room and sitting room, as Covid-19 has tested the resilience capabilities of businesses, governments and people alike.

Resilience is the adoption of a “bend, not break” mantra. Its dictionary definition is “the capacity to recover quickly from difficulties; toughness”.

Be it mental, physical or operational, lessons learnt from the global devastation of Coronavirus has taught us that resilience is a “must”, and not a “nice to have”.

We have seen the resilience of the financial services industry pushed past breaking point as a result of the 2008 financial crisis, only to see it bounce back through governmental intervention and tough management decisions.

In the wake of the financial crisis, sensibility has prevailed, as companies and regulators put aside more provisions and prepared for worst-case scenarios. Emphasis on effective risk management and enhanced assurance activities also emerged, all in an attempt to increase capacity to recover quickly. 2020 has provided the acid test for this progress, determining whether firms’ preparedness and planning will navigate the difficulties and uncertainty of a global pandemic.

Operational resilience, as a concept, is about joining the dots and strengthening end-to-end services across silos, departments and disciplines. It connects several elements of risk management (including business continuity, cybersecurity, data protection and outsourcing) to address the end-to-end ability of an institution to provide a level of service that is acceptable (or tolerable) to its customers.

Global Regulatory Trends

Emerging trends in regulation are focusing on accountability and responsibility, enabling the most appropriate stakeholders to drive and govern the risk management and resilience of their institutions, the services they provide and the markets they support. This is being underpinned by a shift in mindset to put the customer first and understand their tolerances and needs.

Within Europe, regulatory guidelines have been implemented in relation to outsourcing, ICT and security risk and recovery and resolution planning, all with the aim to strengthen resilience across the financial market as a whole and drawing attention to enhance its weakest links.

In the UK, Consultation papers on operational resilience have been circulated and final published guidelines are expected early this year around the requirements of end-to-end resilience of business services.

The European Commission published a legislative proposal in September 2020 – the Digital Operational Resilience Act. Outside of Europe, the US Fed have published Sound Practices to strengthen Operational Resilience in October 2020 and the Basel Committee published a paper of 7 principles for Operational Resilience in August 2020.

Digital Agenda

The focus in Europe on the topic of resilience has leaned towards the digital agenda, set against a backdrop of:

  • The increase in digitalisation across the financial sector
  • Ever increasing complexity and interconnectedness of financial entities across borders and across third parties
  • Increased frequency of incidents and increased sophistication of cyber attacks
  • Greater reliance on unregulated third-party ICT providers, underpinning the stability of the financial services sector

The Digital Operational Resilience Act formed part of the European Commission’s Digital Finance Package designed to ensure financial stability and consumer protection while supporting innovation and a digitally competitive financial sector in the EU.

Introducing DORA

The European Commission’s Digital Operational Resilience Act (DORA) proposal outlines a comprehensive risk management framework to oversee financial institutions and address the fragmented supervisory approach across the single market.

Whilst some elements of the operational resilience requirements are an evolution to regulation which was already in place (such as governance structures and outsourcing requirements), other elements will be a full revolution to firms. The proposal expands the regulatory perimeter to establish an oversight framework applicable to critical third-party providers of ICT services (including cloud computing and data analytics).

The proposal is principle-based. However certain aspects of it are rather prescriptive, leaving little space for flexibility to meet the desired level of resilience and account for a company’s proportionality.

Some key sections of the act are summarised below:

  • ICT Risk Management Framework – builds largely on the EBAs ICT and security risk guidelines, which emphasises senior management involvement, governance and oversight, expanding the requirements to include a digital resilience strategy and implementing operational resilience testing. There are also additional requirements around disaster recovery, communications and crisis management. The proposal also sets out requirements to learn and evolve both from external events as well as the firm’s own ICT incidents.
  • Incident Reporting and Information sharing – The proposal enhances and expands the reporting of ICT related incidents to sectors not currently covers. It also addresses the multitude of reporting requirements imposed on a firm, and attempts to streamline reporting with common reporting templates, timeframes and single point of reporting. Additionally, the guidelines encourage the exchange of cyber threat information and intelligence within trusted communities of other financial entities.
  • Management of ICT Third Party Risk – The requirements build on existing EBA outsourcing requirements, requiring firms to expand their register of providers to include all contractual arrangements rather than just those classified as outsourcing. DORA also requires firms to have a strategy on ICT Third Party risk. The increase in scope of the regulation to include critical ICT service providers appoints responsibility to manage the ICT risks directly to the third party, in addition to the responsibilities of the institution receiving services.

Next Steps

There is a way to go before the act comes into effect, with an expectation of around 18 months. Additionally, there are underlying technical standards to be developed by the European Supervisory Authority’s (ESAs), which will give more granular guidance as to requirements.

The commission considered establishing a new, separate, authority to supervise Critical ICT service providers and instead decided to absorb them into the existing regulated financial entities framework. This approach suggests that the technical standards as well as the supervisory model is likely to be very closely aligned to the existing ESA guidelines and supervisory approach.

Actions

ICT firms (including cloud providers) will need to assess if they may be classified as a critical ICT service provider under DORA’s definition of the term. For all critical firms, the recommendation is to evaluate their current risk framework against DORA and build any step-up requirements they may have into their strategy, growth plans and budgets

Financial institutions currently under the European Commission’s supervisory model and scope should assess if their current state meets the expanded regulation and plan accordingly to respond across the themes.

Don’t hesitate to reach out if you have a question.

This article was first published in the April 16th issue of Finance Dublin. 

Sara Woods

Senior Manager, Technology Risk
Sara's Full Profile



More Topics