Exploring DORA – the key features
The reliance of financial entities on the use of technology within their business infrastructure is increasingly on the rise, given that it helps save on costs, increases efficiency and ultimately benefits consumers by offering a better end product. A number of insurance undertakings are in fact increasingly incorporating ‘tech’ within their product-lines and services, as well as within their operational functions in the course of creating, distributing or administering insurance products.
On the flip side, cyber risks and cyberattacks are also increasing exponentially, and this may lead to financial entities suffering both financial loss as well as reputational damage. The European Commission has been working on a wide package of ‘tech’ legislative proposals, one of these being the Proposal for a Regulation Of The European Parliament And Of The Council on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014 and (EU) No 909/2014, (‘‘DORA’’), in an effort to reduce these risks.
Scope of DORA
DORA casts a wide net and captures several financial entities within its parameters, including credit institutions, electronic money institutions, investment firms, insurance and reinsurance undertakings and insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries.
DORA aims to not only offer safeguards to consumers and the market, but it also aims to consolidate and improve upon information communication technology and ICT risk requirements whilst creating a new oversight framework for critical ICT third-party service providers which offer ICT services to financial entities. The new rules that DORA is proposing will also serve to create a robust framework aimed at boosting the IT security of the financial sector which will be able to withstand ICT related disruptions and tests. Given that financial entities heavily depend on cloud computing for storing their data and providing their services to consumers, certain proposed provisions of DORA will also deal with creating an oversight framework on third parties that provide critical services such as inter alia cloud computing, to financial entities.
Key Matters
Undoubtedly DORA is a complex piece of legislation, and it can only be appreciated if studied in its entirety, together with the regulatory technical standards, which are still in the course of being drafted and promulgated. Having said that, we have outlined a non-exhaustive list of issues which we believe financial entities would do well to keep in mind when analysing DORA.
Management of ICT risks
Financial entities must have in place internal controls, strategies and procedures which would help in addressing ICT risk quickly, efficiently, and comprehensively and to ensure a high level of digital operational resilience that matches their business needs, size and complexity. Under Article 5 of DORA, financial entities should implement detection equipment to identify ICT risks, whilst also having adequate backup policies and recovery methods to minimize downtime and limit any disruptions caused. Financial entities should also ensure that their staff are capable, well-trained and suited to its size. Should an ICT related incident take place, adequate incident reviews should be carried out to ensure lessons are learnt and the systems in place are improved.
Classification and reporting of incidents
Financial entities will be under an obligation to have in place an ICT related incident management process to detect, manage and notify ICT-related incidents and shall put in place early warning indicators as alerts. This obligation falls under the wider ICT-related incident management process which financial entities will have to follow. This process would also entail financial entities having in place communication procedures to staff, external stakeholders and to the media about the ICT-related incident, as well as the establishment of incident response procedures aimed at mitigation its effects, whilst ensuring that the services become operational and secure in a timely manner. DORA further fleshes out certain reporting rules on ICT-related incidents to the relevant competent authority.
Digital operational resilience testing
To ensure that the systems that financial entities have in place are up to the challenge, DORA imposes an obligation on financial entities to periodically test their ICT risk management frameworks. The testing requirements differentiate according to the financial entity’s size, business and risk profile. Apart from this, financial entities will also need to carry out advanced testing by means of threat led penetration testing (‘‘TLPT’’) at least every three years. It is likely that the technical standards that will be applicable to TLPT will align with The Framework for Threat Intelligence-based Ethical Red Teaming (TIBER-EU) which was developed by the European Central Bank.
Information Sharing
By ensuring that financial entities are more aware of current cyber-threats and ICT-related incidents, DORA enables financial entities to build adequate defences which will in turn reduce any vulnerability to such threats or incidents. Under Article 40 of DORA, financial entities may exchange cyberthreat information and intelligence with each other in hope that such information and sharing can enhance the digital operational resilience of financial entities.
Conclusion
Although not yet in force, the implementation of DORA is very much on the horizon and just recently, the Council of the EU and the European Parliament confirmed that they had come to a provisional political agreement on the text of DORA. Once DORA is approved, most of its provisions will come into force within a twelve (12) month period.
Insurance undertakings which fall within the scope of DORA would be wise to start preparing for its implementation by assessing their current practices against these new requirements; thereby ensuring that they are able to implement in a timely manner any and all necessary changes required to fill in any gaps that they may identify. Undoubtedly this process is not a simple one and financial entities would be wise to rope in their advisors to assist in identifying the existing gaps and ensuring that they are duly remedied.