The EU DORA regulation and third party risk

DORA stands for Digital Operational Resilience Act.

It is with this regulation that the EU aims to strengthen the IT security of financial services and industries. This means European banks, insurance companies, investment firms and other similar financial organizations. What it comes down to, in terms of compliance, is to demonstrate resilience in operations in case of a severe IT disruption, such as a cyber attack.

DORA covers five areas:

1. ICT Risk Management
2. ICT Incident Reporting
3. Digital Operational Resilience Testing
4. Information and Intelligence Sharing
5. ICT Third-Party Risk Management

This blog post focuses on ICT third party risk management, as it is a main part of the regulation. The business impact of DORA will be significant. In their cybersecurity predictions for 2022 Gartner foresees that “by 2025, 60% of organizations will use cybersecurity risk as a primary determinant in conducting third-party transactions and business engagements.”

A holistic framework

The EU is encouraging the financial sector in Europe to control and optimize how they manage ICT risks also known as third party risks. With regard to security controls, the expectation is to have in place an oversight framework covering the complete supply chain. From ICT third party providers, related ICT service providers, communications technology ICT risk, to cloud service providers and ICT-related incidents.

Establishing a well functioning framework can be an organizational challenge. Furthermore, having a mature framework in place is no easy job. Reason why, organizations which have an ISMS (Information Security Management System) might have an easier time complying with DORA's new rules.

On a high level, the goal of the framework is to ensure that organizations have in place the processes, tools and people needed to identify and reduce third party risk on a continuous basis. The aim is not only to prevent major ICT related incidents, but to manage and reduce ICT risk to an acceptable level for the organization. DORA signals across the EU financial landscape that the ICT risk appetite of EU regulators is lessening, and is more responsive to digital transformation and technological changes.

In practice, DORA tightens the rules of the game by requesting that financial entities add ICT third party risk management requirements in the contracts with third party service providers.

These requirements are around three main areas.

First, organizations are responsible for having a defined policy and strategy for third party risk. The expectation here from the regulator is that there is clear buy-in from the management level, which is communicated across the organization in an actionable plan.

Second, the requirement for EU financial entities is to perform their due diligence before any contractual agreement. It is critical to understand the level of risk introduced by a third party. Therefore, it is important to understand the security posture of the third party or sub-outsourcing risks.

Third, the requirement is that organizations have a clear view of the mapping between the ICT contractual service requirements and the financial/business services supported by the providers. Having a view of the criticality of the financial/business service allows for business continuity planning. Furthermore, risk management requirements have e better chance of a successful implementation when there is an estimation of potential impact.

Testing, testing

The key focus of DORA is on critical ICT third party service providers. The advice to the financial institutions seems to be 'trust your third party service providers but verify'. What this means in terms of assurance, is that organizations can legally request providers' evidence of their security posture.

In practice, DORA is a great tool to use for information security professionals to request assurance from ICT third parties such as penetration testing reports, vulnerability scans, source code reviews or third party risk questionnaires.

The idea is to ensure that the providers apply testing requirements across their organization.  More importantly, is that they mitigate findings, and have a solid security posture.

Furthermore, financial organizations are advised to increase their oversight and monitoring of third-party ICT providers. This is in order to reduce the potential risks resulting from critical dependencies on them.

Ultimately, the regulatory push is for financial entities to become more accountable and to test the operational resilience of their critical functions which rely on third parties. What could be at stake, in a worse-case scenario, is the financial stability of European markets.

Using a third party risk management platform

As one can imagine, putting in place or running a third party risk management framework, compliant with DORA, can become very complex in a financial services IT environment. However, if we try to simplify, for the purpose of this blog post, below we're taking a look at Who, What and How.

The Who is different in each organization. Potentially responsible departments are third party risk management, procurement, or business resilience/continuity.

The What is a matter of inventorying the vendors, suppliers and/or third party service providers, and mapping these to business functions.

The How is where things become complex.

Looking at the DORA requirements above, we could consider two important aspects. On the one hand, the level of maturity of the third party risk management function in the organization. On the other hand, the degree of interconnection between the third party ICT service, the financial IT environment and the business functions it serves. This latter aspect matters because factors such as technical debt, shadow IT, business and IT siloes could be a challenge.

In practice, using Excel to manage all of the above is not unheard of. However, we can all agree that in large enterprises this is not sustainable. Reason why using a third party risk management platform is the way forward.

If we consider a European bank with 30 critical ICT third party providers - among which, only for information security, we could assume cloud service providers, penetration testing providers, data analytics providers, or threat intelligence providers. Under DORA, the bank is to collect and manage assurance such as regular penetration testing reports, vulnerability scans, source code reviews or third party risk questionnaires. Achieving this using a platform could make life easier for third party risk managers. Collecting information, mapping it to risks and extracting insights on risk exposure could all be done in one place.

In conclusion

We hope that this post explains why DORA will be a complex undertaking for European financial entities, with regard to third party risk management.  

Put simply, the European Commission aims for the Digital operational resilience act to strengthen ICT risk management in the EU financial sector. Financial services must show that they're in control of their third party risks. At the same time, DORA will have an overspill effect on ICT providers in how they need to improve their IT security maturity. Therefore, the sooner the financial services start to plan and use a third party risk management platform, the better the chances to be compliant and secure.

If you have any questions about third-party risk management, please don't hesitate to contact us. We would be happy to help.