This article was written by Tom Cole, Managing Director - UK & Europe at Abacus Group, and originally appeared in Global Investor Magazine
The Digital Operational Resilience Act (DORA) has emerged as a pivotal regulation, setting a new benchmark for cybersecurity and operational resilience across the EU’s financial sector. Published in December 2022 and set to apply from January 2025, DORA will require firms to adopt a broader business view of resilience, with accountability clearly established at the senior management level. The regulation applies to the vast majority of financial services firms operating in the EU, including managers of alternative investment firms (AIFs); UCITS management companies and MiFID investment firms.
Critically too, moving beyond the broad guidelines on ICT and security risk management that regulators in the region typically released in the past, DORA establishes binding rules for ICT risk management, incident reporting, resilience testing and third-party risk management (TPRM).
The regulation is not merely about compliance; it represents a shift towards a more proactive, offensive approach to cybersecurity. Equally, it is focused on harmonisation to help drive a consistent and unified effort to better manage digital operational resilience across the EU’s financial sector.
So, while the implementation date may be in the future, this is no time for complacency. There is much that firms can and should be doing now to align with the DORA directive and embed an ongoing culture of resilience and proactive risk management in their daily operations.
DORA impacts firms based in the EU but also those with operations or clients in Europe, or who are regulated to enter the EU marketplace.
The regulation calls for specific technologies and approaches, such as ongoing vulnerability scanning and effective policy programs, effectively transforming them from recommended best practices to essential requirements. Under its terms, firms are, for example, required to set up a comprehensive ICT risk framework. They will need to develop a streamlined process to log/classify all ICT incidents and determine major incidents according to the criteria defined in the regulation.
Moreover, they will have to strengthen their approach to resilience testing. That will mean, amongst other requirements, annually performing basic ICT testing of tools and systems, and identifying, mitigating and eliminating any weaknesses or threats. Firms will need to improve their third-party provider (TPP) risk management, involving better mapping of third-party vulnerabilities to inform the development of a risk containment strategy and more efficient documentation and review of these vulnerabilities.
While many alternative investment firms may already meet several of DORA's new requirements, there remains a significant effort to achieve full compliance – and avoid whatever fines or penalties in the offing.
Making the necessary changes to be compliant can be challenging, both from a cost and cultural perspective, as it requires firms to transition from a defensive to a more offensive cybersecurity mindset. On the one hand firms go through a process of education with the ultimate aim of helping them understand not just the conceptual framework but also the practical implications and necessary preparations for compliance.
Given all the above, what needs to be top of the agenda for alternative investment firms as they look to comply with DORA? From the outset, most would be well advised to engage with their IT services partner to put a proactive gap or risk assessment analysis in place to identify areas where their current cybersecurity measures may fall short of DORA's standards.
Drawing on the result of the gap analysis, it is key that firms then implement a range of cybersecurity services like vulnerability scanning, remediation, and policy writing to fill the gaps identified. To comply with DORA and for their long-term safety and security, companies need to ensure that they don’t just do a box ticking exercise. Policies need to be effective and have teeth.
As the regulatory landscape evolves, financial firms must stay ahead of the curve. DORA's implementation timeline, leading up to full enforcement in Q1 2025, underscores the urgency for firms to begin preparing now. The regulation is not a mere compliance exercise; it's a fundamental shift towards enhancing operational resilience and cybersecurity in the financial sector. And it is not just firms operating in EU countries who need to start strengthening their security and compliance. The U.S. Securities and Exchange Commission (SEC) is already on a similar path to more stringent regulations and it is merely a matter of time before the UK follows suit.
It is important also to ensure that organisations aren’t tempted to go it alone in delivering on this vision. They need to draw on the services of expert third-party partners with the solutions and capabilities to guide them through the transition.
DORA presents both challenges and opportunities for the alternative investment sector. By partnering with knowledgeable and experienced service providers like Abacus Group, firms can effectively navigate these changes, ensuring compliance enhanced operational resilience and cybersecurity in an increasingly digital financial landscape.
These Stories on Blog