By Beatriz Brunelli Zimmerman - Analyst, Supervisory ICT Risk and Cybersecurity, MFSA
(Article first published in The Accountant, Issue 4 of 2022)
The COVID-19 pandemic prompted consumers to move online and, in response to the changing nature of the demand, the financial services sector answered accordingly by adopting services, tools and functions which are increasingly dependent on Information and Communications Technology (ICT). In addition, as a way of achieving economies of scale, firms relied on ICT Third Party Providers to support their changing ICT needs. While this meant that the sector had been able to successfully answer to the shift in demand, it also introduced significant cyber risk.
Against the backdrop of this post-pandemic reliance on ICT and outsourcing, the European Union’s (EU) regulatory framework on cybersecurity for the financial sector was fragmented and complex, which placed unnecessary barriers to market players. In 2020, the Commission released a proposal for a Regulation known as the Digital Operational Resilience Act (DORA), which aims to increase the financial sector’s digital operational resilience by setting new requirements for firms and harmonising the regulatory framework. The DORA Regulation has a two-year implementation period and is expected to become fully applicable within the first quarter of 2025.
The scope of the Regulation is broad and will impact most of the financial services sector. The Regulation introduces requirements for financial entities in the areas of ICT risk management, incident reporting, digital operational resilience testing and advanced testing through Threat Led Penetration Testing (TLTP), the management of ICT third-party risk including an oversight framework for critical ICT third-party providers, and voluntary information sharing arrangements between financial entities. Moreover, the Regulation is built upon the principle of proportionality, consisting of three principal proportionality layers. The first layer is about the application of the main provisions in accordance with financial entities’ size, overall risk profile, as well as the nature, scale and complexity of their services, activities and operations. The second layer is essentially a simplified ICT risk management framework for specific financial entities. The third layer is an exemption for microenterprises from some of the requirements.
While DORA is arguably a job for a firm’s compliance, risk management, audit and ICT functions, the Regulation impacts the business in a holistic manner. By setting requirements that contribute towards increasing resilience, the Regulation can contribute to adding trust and value to businesses and their partners. For instance, by regularly subjecting themselves to testing regimes, firms can learn from the outcomes of these tests and potentially mitigate, deter or be able to better manage a possible ICT-related incident. In turn, this builds stakeholders’ trust in the entity’s ICT capabilities and resilience, in addition to preventing immediate capital loss and a drop in consumer confidence following an incident. This is especially important for the financial sector, which is increasingly being targeted by threat actors.
Another example of how DORA can add value to the financial sector relates to ICT third-party providers, which are also within scope of the Regulation. Under DORA, there are substantial requirements for ICT third-party providers – and more extensive requirements for critical ones – on the quality of their services. This means that DORA contributes towards a more consistent and standardised outsourcing landscape throughout the Union. Moreover, the EU’s oversight of critical ICT third-party providers introduces a much-needed supervisory aspect over the most utilised and relied-upon service providers in the Union. Once again, by reassuring businesses’ stakeholders of the quality of the service being provided by both critical and non-critical ICT third-party providers, the Regulation establishes greater trust and assurance throughout.
In short, the DORA Regulation should not be perceived purely as an added compliance cost that negatively impacts a firm’s balance sheet, but rather as a tool which can contribute towards assurance, trust and – ultimately – as a contributor of value to businesses. Indeed, these characteristics work hand in hand with the accountancy profession, which also seeks to contribute to businesses’ growth, assurance and overall economic stability.