The deadline to implement the Digital Operational Resilience Act (DORA) is less than a week away, and with financial companies facing two percent of annual global turnover due to failure to comply, they are double and triple-checking to ensure they are compliant. With just six days to go, we take a look at some of the biggest hurdles facing companies looking to become DORA compliant.
the DORA The regulatory deadline was first introduced in 2022, with the aim of protecting financial services against ICT-related incidents. Historically, companies will set aside capital to cover any losses faced due to a breach, however, this only works as a short-term solution. DORA aims to solve long-term problems, by ensuring that companies have protection, detection, prevention, recovery, and remediation measures in place.
Traditional methods of dealing with ICT breaches often result in a financial organization adjusting its own offerings, but leaving potential ICT third-parties at risk. With DORAa new set of rules has been put in place for ICT risk management, incident reporting, operational robustness testing, and third party ICT risk management.
As a result of the new regulation that will come into effect on January 17, financial entities may face fines of up to two percent of their global annual turnover, while third party partners could be fined €5 million. Meanwhile, individuals in financial companies may face a €1million fine for non-compliance, and third-party individuals may be fined €500,000.
Dotting the ‘i’s and crossing the ‘t’s
Organizations need to know if DORA applies to them, and in turn, their ICT third-party providers. As such, work is likely already underway to ensure compliance. However, with the deadline quickly approaching, companies should ensure that their incident reporting processes and protocols are fully functional and compliant with regulatory requirements as per William Davenport, chief sales officer of Wordwatchthe compliance and record management solutions platform.
He said: “Companies should conduct final reviews – including ensuring that staff are aware of their roles in incident analysis, management, and with development processes. We also recommend a review of any gaps in third party risk management by confirming that external ICT suppliers meet robustness standards – keeping a record to ensure this is verified by a regular basis.
“Finally, if you haven’t already, integrate data from legacy systems to streamline compliance and reduce risks associated with managing legacy infrastructure.
“It will obviously take more than a few days, but as many of you know, regulators are always relieved when they see a mitigation plan in action and steps are being taken to ensure compliance. Seek help from outside experts if you have questions.”
What is critical and what is important
The discussion between the third party of the ICT and the financial organization must be constant, because both entities must adapt which critical changes must be made before the 17 January deadline. Commenting on the potential back and forth that could happen, Nathaniel Lalonefinancial markets and law firm funding partners, Katten Muchin Rosenman LLP says: “As with most major regulatory enforcement deadlines, we all seem to be rushing toward the finish line.
“DORA introduces very specific and prescriptive requirements and has many moving pieces, but we see two significant compliance challenges.
First, in terms of updating contracts, there is a “battle of forms” between financial entities, which want all their service providers to use their standard form of agreement, and the service provider, who want all their financial entities to use their own standard. form of agreement. The question is: who has stronger negotiating power and who blinked first?
“Second, the compliance burden will increase for service providers that support ‘critical or important’ functions, and there will be some push-and-pull between financial entities and their service providers. service of the appropriate criteria and process to be used in making that decision. This leaves the risk that some providers of a given service are designated by their financial entities as supporting ‘critical or important’ functions and are subject to increased obligations, while providers of almost same service no.
“It seems unfair and unclear how to resolve the differences in the rules as they stand now.
“In addition to these challenges, ongoing DORA obligations leave companies struggling to integrate compliance requirements and internal systems, while managing resourcing constraints.”
IT and beyond
While DORA places great emphasis on ICT teams and third parties, the regulation is not limited to them and organizations must ensure that everyone across the board understands what they need to do. Exploring this point further, Helen Bargesenior risk and resilience consultant at Barnett Waddingham, the consultancy firm, said: “A key consideration in sustainability is ensuring that it remains an approach across the organisation.
“For some, there may be a perception that business continuity is limited to the IT team and not to the wider organization; but ensuring the strength of information security, and mitigating cyber risk only works if everyone as a whole business is on board, including your supply chain because no organization operates in isolation. Eliminating silos and ensuring a top-down approach to compliance reduces risk, and can be critical to ensure compliance to continue.”
Impacts beyond traditional finance
While at the beginning, it is easy to think that DORA only applies to traditional financial services, it can also be used in other aspects of the financial world including crypto and proptech.
Commenting on its impact on crypto Can TannerCPO, Bitpacethe crypto trading platform said: “DORA, together with the recently introduced MICA guidelines, will also provide the strong regulatory framework needed to legitimize the asset class as a viable and reliable payment solution for businesses. At a time when many European businesses are facing operational challenges and high costs as a result of various geopolitical and macroeconomic factors, crypto offers them the critical alternative path they need to get the barriers and continue to trade around the world.
From a proptech point of view, JP Bowgenprincipal of Camber Creek in the United Statesthe venture capital firm, added: “The aperture of what we define as real estate technology continues to expand, and we see that it overlaps with financial services and fintech. For current and future portfolio companies, DORA will be an important consideration in determining the viability of possible future expansion into Europe.
“For companies looking to scale up in Europe, understanding and responding to these requirements early can be a powerful competitive advantage. Failure to anticipate DORA’s requirements can create a significant last-minute hurdle for companies looking to expand in Europe, which could delay market entry or lose the trust of key partners and customers.
https://thefintechtimes.com/wp-content/uploads/2022/03/iStock-1002859304-e1647358030365.jpg
