The European Commission (EU) is taking bold and definitive steps to ensure the resiliency of its critical financial systems in the face of increased cybersecurity risk.
The European Commission has published a regulation on Digital Operational Resilience Act (DORA) in the EU financial services sector. DORA aims to ensure that all key participants in the financial system have the necessary safeguards to mitigate cyber-attacks and other risks. In addition, the act is intended to consolidate and upgrade Information and Communications Technology (ICT) risk requirements, ensuring all participants of the financial system are subject to a common set of mitigation ICT risk standards.
The act, which comes into effect in January 2025, will require firms to ensure they can withstand various ICT-related disruptions and threats. DORA provides an oversight framework for financial institutions and critical third-party providers, such as Cloud Service Providers (CSPs) like SS&C Advent. As part of DORA, CSPs are mandated to implement processes and procedures related to the following five objectives:
- Risk Management Framework
- Incident Reporting
- Resiliency Testing
- Third-party Risk Management
- Information Sharing
The goal of DORA is to ensure the financial sector can operate in a secure and uninterrupted manner. Accordingly, the act has the following five primary requirements:
- Companies must have an incident response plan that includes a detailed description of what constitutes a cyberattack, how employees should respond, and how operations will be restored if there is a security breach.
- Companies must maintain a cybersecurity program that includes an assessment of the risks posed by cyberattacks and a mitigation plan.
- Companies must maintain appropriate security controls over their digital infrastructure. These controls include encryption, authentication, access controls, audit trails, monitoring systems, event management systems, and incident response plans.
- Companies must report incidents when they occur so that regulators can assess their vulnerabilities and make recommendations for improving their security posture.
- Companies should have a plan to ensure continuity of service during any disruptions.
EU Financial Regulatory authorities will be responsible for auditing a company’s controls and reporting to determine whether the supplier’s security policy and practices follow DORA-specified standards and whether they can provide a secure, resilient environment for handling financial data.
Before U.S.-based firms dismiss this as something happening across the pond, it’s worth pointing out that the SEC has introduced three new proposals since the beginning of the year that draw some strong parallels to the objectives of the EU legislation.
SS&C Advent is closely following DORA’s progress. Now that the legislation has been adopted and finalized, we have begun ensuring our compliance by the end of 2024. Our Security, Compliance, and Audit teams are committed to the security and resiliency of our products and services in this dynamic digital landscape.
Download the full DORA regulation: https://data.consilium.europa.eu/doc/document/PE-41-2022-INIT/en/pdf