Operational Resilience and DORA. Do it once, get them both right.
By Simon Tweddle
As I said in my post last week (follow this link): “The operational resilience requirements in the UK share common objectives with the EBA guidelines for Information and Communication Technology (ICT) security risk management, and the requirements laid down by DORA in the EU.” and given The FCA have (since before March 2022) required authorised payment and e-money institutions in the UK to comply with EBA guidelines when preparing their operational and security risk form (REP018), it made sense to me to follow up with a piece on the these guidelines in the hope that anyone reading could see that following this guidelines would take a firm a long way to complying with both the Operational Resilience and DORA requirements.
In an era where technology underpins the vast majority of financial services, the importance of robust Information and Communication Technology (ICT) and security risk management cannot be overstated. Recognising this, the European Banking Authority (EBA) laid down comprehensive guidelines (in 2017, updated in 2019) aimed at ensuring that financial institutions maintain a high level of resilience against ICT-related threats. These guidelines gain even more relevance with the advent of the European Union's Digital Operational Resilience Act (DORA), which sets forth stringent requirements for the financial sector's operational resilience. This post seeks to delve into the EBA guidelines for ICT and security risk management and link them to the key requirements laid down by DORA.
The EBA Guidelines for ICT and Security Risk Management
The EBA's guidelines on ICT and security risk management are designed to foster a uniform and high standard of risk management across financial institutions within the EU. They cover a broad spectrum of ICT risks, including those related to cybersecurity, data integrity, and outsourcing. Key aspects of these guidelines include:
Governance and Risk Management Frameworks: Financial institutions are required to establish comprehensive governance structures and risk management frameworks that explicitly address ICT risks. This includes the development of policies, procedures, and controls tailored to the institution's size, structure, and risk profile.
ICT Operations and Security: The guidelines mandate robust management of ICT operations, emphasising the need for secure configurations, data integrity, and protection against cyber threats. Institutions must implement measures to detect, respond to, and recover from ICT-related incidents.
Business Continuity Management: A critical component of the guidelines is the requirement for effective business continuity plans that ensure the institution can continue to operate in the event of an ICT disruption, thereby minimising impact on services.
Testing and Situational Awareness: Regular testing of ICT systems, including penetration testing and vulnerability assessments, is required to ensure resilience. Financial institutions must also maintain situational awareness regarding emerging threats and vulnerabilities.
Outsourcing and Third-party Management: Given the increasing reliance on third-party service providers, the guidelines also focus on the management of ICT-related risks associated with outsourcing. This includes due diligence, contract management, and ongoing monitoring of third-party performance.
Links to the Digital Operational Resilience Act (DORA)
The Digital Operational Resilience Act (DORA) represents a significant step forward in the EU's approach to ensuring the operational resilience of the financial sector. DORA's requirements complement and expand upon the EBA guidelines, emphasising the need for financial institutions to be able to withstand, respond to, and recover from all types of ICT-related disruptions. Key aspects of DORA that link to the EBA guidelines include:
Digital Operational Resilience Testing: DORA mandates comprehensive resilience testing, including the requirement for significant entities to conduct advanced testing (e.g., threat-led penetration testing). This aligns with the EBA's emphasis on regular testing and situational awareness.
Incident Reporting and Information Sharing: Both DORA and the EBA guidelines highlight the importance of timely incident reporting and the sharing of information related to ICT risks. DORA introduces harmonised rules for incident reporting, facilitating a coordinated response to significant cyber threats.
ICT Third-party Risk: Reflecting the EBA guidelines, DORA places a strong emphasis on the management of ICT third-party risk. It goes a step further by proposing the creation of an oversight framework for critical third-party service providers, enhancing transparency and accountability.
Risk Management: DORA requires financial entities to establish and maintain comprehensive digital operational resilience risk management capabilities, echoing the EBA's call for robust governance and risk management frameworks tailored to ICT risks.
Operational Resilience Policy: Under DORA, financial institutions are required to develop and maintain an operational resilience policy that covers ICT risks, business continuity, and disaster recovery, among other aspects. This policy must be integrated into the institution's overall risk management framework, reinforcing the principles outlined in the EBA guidelines.
So what?
The EBA guidelines for ICT and security risk management and the requirements of the Digital Operational Resilience Act together provide a comprehensive framework for financial institutions in the EU to address the challenges posed by the early 21st century threat landscape. By aligning their ICT and security risk management practices with these standards, institutions can not only comply with regulatory expectations but also enhance their resilience against a wide range of digital threats. As the digital landscape continues to evolve, adherence to these guidelines and regulatory requirements will be crucial for maintaining the integrity, stability, and resilience of the financial sector.
Sound familiar?
Navigating Compliance and Beyond
For financial institutions, the journey towards compliance with the EBA guidelines and DORA is not just a regulatory obligation but an opportunity to strengthen their operational resilience. Institutions should view these guidelines as a blueprint for good practices in ICT and security risk management. By proactively addressing the areas covered by the EBA guidelines and DORA, institutions can not only mitigate risks but also gain a competitive advantage in the increasingly digital marketplace.
As the regulatory landscape continues to evolve, staying abreast of changes and anticipating future requirements will be key. Financial institutions must adopt a dynamic approach to compliance, one that includes regular review and adaptation of their ICT and security risk management practices. Collaboration within the industry, as well as with regulators and third-party service providers, will also play a vital role in enhancing the sector's overall digital operational resilience.
The EBA guidelines and DORA represent critical milestones in the EU's efforts to safeguard the financial sector from ICT-related risks. By embracing these requirements, financial institutions can protect themselves and their customers, ensuring the stability and reliability of their services in the digital age. For financial institutions that also need to comply with the operational resilience requirements in the UK there is an opportunity for synergy between these programmes if they engage the right expertise to look beyond the siloes and execute in a joined up way.