Dublin / New York, July 18, 2023 – In force since January 2023, the EU's Digital Operational Resilience Act (DORA) aims to ensure that all participants in the financial system have the necessary safeguards in place to mitigate cyber-attacks and other digital risks. DORA will become fully applicable as from 17 January 2025.
DORA is already having a significant impact on fund managers across the EU region. It sets out measures that are divided into 5 pillars:
- ICT RISK MANAGEMENT
The DORA ICT risk management framework put the onus with the management body of the firm for identifying and managing relevant risks. ICT (Information and communication technology) risk management focuses on protecting the confidentiality, integrity, and availability of an organization's digital assets, including data, applications, networks, and hardware. It aims to minimize the potential negative impact of ICT-related risks on business operations, reputation, and overall security.
DORA is an ongoing process that requires continuous monitoring, evaluation, and adaptation to evolving risks and technologies. To comply with this requirement, fund managers must develop comprehensive frameworks for risk identification, assessment, and mitigation.
- ICT-RELATED INCIDENT MANAGEMENT, CLASSIFICATION AND REPORTING
DORA aims to enhance regulatory reporting and transparency across financial entities. Fund managers should prepare for more comprehensive reporting requirements relating to operational resilience along with increased regulatory oversight and scrutiny.
DORA will introduce standardized incident reporting and communication protocols within the industry to ensure greater transparency and accountability within the industry. These requirements will be challenging for many asset management firms who will need to improve their process of collecting, analyzing and disseminating information about ICT threats and cyber-attacks.
- DIGITAL OPERATIONAL RESILIENCE TESTING
DORA sets out comprehensive guidelines and requirements for fund managers to ensure their digital infrastructures can withstand disruptions and effectively recover in the event of an incident. The onus has been placed on the management body of the firm to perform and address assessments on a regular basis, such as vulnerability assessments and network security assessments.
- INFORMATION SHARING ARRANGEMENTS
Financial entities may exchange cyber threat information and intelligence. Information sharing is a crucial aspect of cybersecurity as it enables the timely exchange of relevant threat intelligence, vulnerabilities, and best practices among different stakeholders. This sharing of information helps to improve situational awareness, enhance the ability to detect and respond to cyber threats, and ultimately strengthen the overall security posture of organizations and networks.
Fund managers will likely face stricter requirements for data quality, integrity, and accessibility. They can also expect increased scrutiny on data privacy and protection, including compliance with the EU General Data Protection Regulation (GDPR).
- MANAGING OF ICT THIRD-PARTY RISK
DORA places significant emphasis on the management of risks arising from third-party service providers. In today's interconnected business environment, organizations often rely on third-party vendors for various ICT services such as cloud hosting, software development, infrastructure management, and data processing.
DORA imposes stricter regulations on outsourcing activities and third-party risk management. As a result, financial entities need to conduct thorough due diligence when engaging third-party service providers, ensuring they meet the required standards of operational resilience and cybersecurity. We are seeing more robust contractual arrangements, including clear provisions for monitoring and managing third-party risks.
Des Johnson, Global Chief Revenue Officer at Waystone, says “DORA is a transformative regulatory initiative designed to enhance operational resilience within the financial services industry. With our deep understanding of the fund management industry and commitment to regulatory compliance, Waystone is well-positioned to assist fund managers in navigating the complexities of DORA implementation. We recognize the significance of DORA and are committed to helping fund managers navigate the complexities of DORA and ensure compliance with the forthcoming regulations”.