Is it possible to “move fast and break things” without compromising operational resilience? The European Commission is trying to find out
As anyone dealing with banks and insurers would know, the financial industry is becoming increasingly digitised and reliant on technology in its daily operations. This brings with it unique risks which prudential regulators the world over are trying to properly manage. A particular concern of the European Commission is the concentration of services being provided by a small number of tech providers, and fears that the failure of one provider could lead to a systemic issue for financial markets. Published in September 2020, the European Commission introduced its draft Digital Operations Resilience Act (DORA) to support the twin goals of developing digital finance while mitigating associated risks.
Obligations under the DORA
Obligations under the DORA, which affect EU financial entities, include:
- Governance (Article 4). Under the DORA, regulated entities would be required to assign clear roles and responsibilities for all ICT-related functions, and continuously engage in approval and control processes to manage ICT risk.
- ICT risk management (Articles 5 to 14). Regulated entities must set up ICT risk management functions (identification, protection and prevention, detection, response and recovery including business continuity practices, learning and evolving, and communication) and have a positive obligation to keep pace with the cyber threat landscape.
- ICT-related incident reporting (Articles 15-20). These provisions require financial entities to implement processes to monitor, log, and classify ICT-related incidents, and report major incidents to competent authorities.
- Digital operational resilience testing requirements (Articles 21 to 24). Regulated entities are required to periodically test ICT risk management framework for preparedness and identification of weaknesses, deficiencies, or gaps, and promptly implement corrective measures.
- Managing ICT third-party risk (Articles 25 to 39) through an increased oversight framework. See below.
- Information sharing (Article 40). Financial entities are encouraged (but not obliged) to set up arrangements to exchange among themselves cyber threat information and intelligence.
Monitoring ICT third-party risk
It is the provisions relating to third-party risk which have drawn the most attention. In an apparent effort to tackle the risks associated with the concentration of data and infrastructure with a handful of technology providers, the European Commission seeks to increase oversight of third-party ICT providers in the DORA by:
- introducing rules and standards for financial entities to monitor ICT third party risk;
- placing minimum requirements for contracts with third party ICT providers, including a complete description of services, an indication of location of data processing, full service level descriptions, provisions on accessibility, availability, integrity, security and protection of personal data, and guarantees for access, recovery and return, reporting obligations and dedicated exit strategies; and
- for technology providers designated as ‘critical’ by the European Supervisory Authorities (CTPPs), allowing financial regulators to conduct on-site and off-site inspections, issue recommendations and requests, and levy fines of up to 1% of daily worldwide turnover in cases of non-compliance.
As a result, it is possible that the impact of the DORA will be as significant for third party providers as it is for the regulated entities themselves. This has drawn the criticism from technology providers likely to be subject to new obligations, who claim the obligations are overburdening and may have perverse effects, such as reducing competition.
The chairs of the European Supervisory Authorities (ESAs) have called for a simplification and slimming down of the overburdening DORA. The ESAs have proposed limiting oversight of CTPPs to ICT risks affecting financial entities only, clarifying how the oversight function and recommendations are to work in practice for cross-sectoral CTPPs and reserving the enforcement of the oversight framework to an EU-wide rather than national level to avoid mismatch in approaches among states. The chairs of the ESAs have also called for the introduction of greater proportionality in the Act.
What comes next?
The Act is not expected to be finalised for at least another 18 months. But this heightened focus of the European regulator on technology risk already can also be seen in Australia where APRA has made similar efforts to ensure that regulated entities here are properly managing their ICT risk, including through CPS234 and its 2020-2024 cyber security strategy.
The steady march of financial services providers towards digitisation and third party services is only likely to continue into the future. This can at times make for very difficult unions between financial firms, which by nature and regulation, are focused on managing risk and building a strong compliance culture, and technology firms which aim to be fast-moving, innovative and embracing of risk and uncertainty. It remains to be seen how, or even if, regulators attempt to strike a balance between ensuring a well-managed financial sector and unlocking the efficiencies and economies of scale that come with technological innovation.