Receive the latest insights, news and more direct to your inbox.
The pandemic epitomised the saying that “there are decades where nothing happens; and there are weeks where decades happen.” This is particularly true for the world of financial services, where the shift to digital payments spiked from 2020 onwards.
For example, the volume of cheque usage has halved since 2019 according to Banking and Payments Federation Ireland. In contrast, around €24 billion was spent using contactless payments and digital wallet services such as Apple Pay.
Considering the first mobile banking apps in Ireland were only launched in the early 2010s, the changes we have witnessed in day-to-day banking in such a short space of time are nothing short of phenomenal.
Digital now plays a fundamental role in financial services, but as the events of the Crowdstrike outage show, society’s reliance on the online world carries substantial risks when things go wrong.
In this regard, the impending introduction of new EU legislation – the Digital Operational Resilience Act (DORA) – on 17 January 2025, which is designed to strengthen the operational resilience of financial entities operating in the European Union, could not be better timed.
The legislation covers a range of financial services organisations including traditional and digital banks, e-money and payment institutions, insurance and reinsurance, asset managers, credit institutions and private equity houses.
Operational resilience has been at the forefront of regulators’ agendas for the past few years, with the Central Bank of Ireland introducing guidelines that took effect last December. However, DORA is far more ambitious in its scope.
The key step change is that DORA will transform ICT-risk management from a reactive process to a proactive one. It contains specific requirements for how firms should identify, react, report and classify major ICT-related incidents. Firms will be required to develop and implement regular risk assessments, mitigation strategies, incident response plans and processes for raising risk awareness throughout their organisation.
Another crucial aspect of the legislation is that it also covers key third-party providers who financial institutions rely on to deliver their services. As the recent Crowdstrike incident showed, companies are increasingly dependent on the services of third parties, such as cloud services and SaaS providers.
Third parties are part of the essential foundation pillars to deliver digital offerings, but this carries risks for the organisations that depend on them. The majority of people did not know who Crowdstrike were before July, but now the company is a household name for all the wrong reasons.
These third parties will now be required as part of DORA to adhere to rigorous responsibilities with regard to how they manage potential IT vulnerabilities. Financial institutions will also be accountable for detailing the oversight and management process of these critical third-party providers within their own ICT risk management frameworks and conducting their own due diligence so that they can be assured that they can rely on their services.
The increased emphasis that the EU is placing on good governance is highly evident in DORA, with senior management and boards having to ensure that they have robust risk-management frameworks in place to deal with a range of digital threats.
Passing the buck to the IT department will no longer cut the mustard, with firms that violate DORA’s requirements facing fines of up to two percent of their total annual worldwide turnover, and individuals looking at financial penalties of up €1,000,000.
Third-party providers that fall under the legislation also risk fines for noncompliance, with penalties of up to €5,000,000 for organisations and €500,000 for individuals.
So where do financial institutions begin in terms of being prepared for DORA? It can be a daunting task with approximately 650 requirements across levels one and two alone as set out under the legislation. The solution therefore is to get a firm grasp of where the gaps are by conducting a scoping exercise and gap assessment that will provide a robust platform to progress from.
Following this, a remediation plan that includes tactical actions with owners, activities and timeframes is required. Then a governance structure and delivery-focused model, that aligns with the five pillars of DORA, which covers everything from an ICT risk management framework to digital operational resilience testing is required.
Even with these steps complete, financial institutions cannot rest on their laurels as a robust training programme is required for internal stakeholders to ensure a strong level of compliance. Regular threat-led penetration testing will also be necessary from 2025 onwards in order for organisations to ensure they are protecting themselves from future risks.
DORA focuses a lot on third-party due diligence, but thankfully companies that have mature and robust third-party management processes already will benefit from that structure already being in place. The key difference as previously outlined, however, is that the legislation shifts ICT risk management from being a reactive process to a proactive one.
This means that relationships with third parties are suddenly going to become far more intense for financial institutions, which will have to invest time and resources to make sure they do not run the risk of falling foul of DORA.
For example, due diligence is now a far more expansive process because all of a third party’s processes need to be examined before you can procure and onboard them. Many organisations may not conduct another round of due diligence until a contract renewal, but now, a change in how they deliver a service, i.e. sending data to a warehouse outside the EU, could impact them.
Given the breadth in scope of the Digital Operational Resilience Act and the rigour required in terms of ongoing compliance with the legislation, a significant lift is required for all financial institutions.
This investment is warranted, however, as the recent outage caused by Crowdstrike goes to show. If your ICT lets you down and you cannot deliver your services, you run the risk of losing customers who will move to a more reliable competitor. Considering the key societal role that financial institutions play in our everyday lives, it is only right that they are held to a higher standard given the faith we place in them.
