How DORA will impact the financial services sector
It is estimated that cybercrime cost the UK economy around £27 billion in 2022, rising to £30.5 billion in 2023 and expected to increase again in 2024. On a global scale, the figure is in the multi-trillions. So, it’s not surprising that legislators are looking at how best to tackle this problem - especially within the financial sector.
Enter DORA - not Dora the Explorer, but the more grown-up Digital Operational Resilience Act.
What does DORA want?
Transparency, protection, and accountability.
When does DORA want it?
Now - or at least by 17 January 2025.
Who does DORA affect?
It affects financial entities - a term which is left deliberately wide but includes financial institutions, investment firms, insurers and reinsurers, and audit firms, to name a few.
Enacted in January 2023, the European legislators have given financial entities a two-year window within which to implement a series of stringent operational measures in relation to their ICT services to protect against cybercrime. There is an element of proportionality in relation to these measures, based on a financial entity’s size.
The broad definition of ICT services refers to ‘digital and data services through ICT systems’ and therefore covers hardware and software in their various guises. As the intention of the legislation is to provide transparency and accountability throughout the ICT services supply chain, not only do financial entities need to implement measures but so too do the ICT services providers, particularly if they support critical services.
What are the core principles of DORA?
DORA builds on existing resilience requirements within the financial services sector and promotes an ‘ISO27001 meets Cyber Essentials’ style of ICT risk management based on five core principles:
- ICT Risk Management - establishing an internal framework addressing ICT risks.
- ICT Incident Management, Classification & Reporting - having a process for and reacting to ICT risks and events.
- Operation Resilience Testing - regular/annual pen testing and addressing gaps/errors.
- ICT Third Party Risk Management - recording and monitoring third party providers and risks presented, especially those relating to critical services.
- Information-Sharing Arrangements - allowing the financial entities to agree standards and work with the supervisory bodies to share data and act, where necessary.
Regulators will wish to be satisfied not only that measures are in place, but that they are actioned.
How does DORA impact the UK?
Whilst not as far-reaching as the GDPR (which protects European citizens regardless of their location), DORA impacts financial entities if they have an arm operating in Europe. UK financial entities with an EU presence therefore need to be aware of what the requirements are. Equally, ICT services providers who support financial entities in the EU will need to be prepared for the extra scrutiny.
Whilst the EU are leading the way, the UK will not be far behind with its own measures. A joint consultation paper between the Bank of England, FCA, and PRA closed on 15 March 2024 looking at how to best address the powers given to them under FSMA 2023 to monitor and manage the risks of utilising critical third parties within the UK financial sector.
Is there guidance available?
Yes. DORA contains a list of clauses that will need to be considered when financial entities enter into contracts with ICT services providers, and this year there have been two regulatory technical standards (RTSs) published by European Supervisory Authorities to provide more guidance.
January’s RTS (available here) focussed on measures that financial entities should have in place (i.e. before-the-event measures), including more clarity for financial entities on how to:
- Have policy around what meets the classifications of “major incident” and “significant cyber threat” – looking at the materiality of risks posed and the fallout from any breaches.
- Implement for an ICT risk management framework or a simplified one for smaller or less complex financial entities.
- Implement governance and risk management requirements where their critical functions are outsourced to third parties.
- Create a register of information on its ICT contracts and supply chains.
July’s RTS (available here) then focussed on the supervision, testing, and responses for ICT incidents (i.e. preventative and after-the-event measures), including guidelines on:
- The format for reporting major ICT-related incidents and significant cyber threats and timelines for reporting.
- The conduct of oversight activities, i.e. ensuring that supervisory authorities can effectively oversee the digital operational resilience measures in place within financial entities.
- The routine performance of threat-led penetration testing (“TLPT”) – at least every 3 years.
- The composition of a joint examination team (“JET”) of supervisory authority members with expertise in ICT risks who will conduct examinations of financial entities’ measures.
- How to calculate the aggregated costs and losses caused by a major ICT-related incident.
What are the next steps?
Financial entities and their ICT services providers should therefore look at performing gap analysis exercises between their current measures and the requirements of DORA and look to address those gaps by January 2025, as well as updating their existing and future contracts and templates, as necessary.
For further information, please email Mark Hughes or call 0151 906 1000.