The European Supervisory Authority (ESA) closed its consultation on the technical standards underpinning the Digital Operational Resilience Act (DORA) in September. The ESAs will now evaluate the feedback received and are expected to release a Final Report along with the submission of the draft Regulatory Technical Standards (RTS) to the European Commission by January 17, 2024.
DORA represents one of the most significant legislative frameworks for the European financial sector, aimed at mandating both cyber security and operational resilience standards for financial institutions and their key suppliers.
DORA addresses an important problem in the EU financial services industry, by acknowledging that IT incidents and a lack of operational resilience could jeopardise the stability of the financial system.
At NCC Group, we closely follow regulatory developments, such as DORA, collaborating with the regulators and supporting customers operating across critical infrastructure sectors.
Wayne Scott, Regulatory Compliance Solutions Lead, takes us through the submission to the consultation and the changes that should be made to ensure comprehensive technical standards:
One of the key highlights of the consultation paper is Article 16 (8), which mandates financial institutions and their key suppliers to "implement controls to protect the integrity of the source code of ICT systems that are developed in-house or by an ICT third-party service provider." This provision acknowledges the importance of securing and understanding how to use the source code in an era where digital assets are integral to financial operations.
However, the Regulatory Technical Standards (RTS) must offer greater clarity on the types of controls required. This specification will ensure true compliance of the regulations and a set standard of protection.
One of the specifications which must not be overlooked is software escrow, which involves storing source code with an independent third party. Software Escrow is widely used in the financial services sector to provide essential safeguards in the event of supplier failure that could hinder contractual enforcement.
Article 27 (2) of the consultation paper comprehensively addresses various risks that ICT businesses must incorporate into continuity plans. At NCC Group, we recognise the importance of addressing concentration risk within the technology supply chain. Concentration risk refers to the increased level of risk when an institution relies on a single source for its business-critical services instead of diversifying its sources. While acknowledging that pan-European regulation may manage concentration risk at a higher level, our response emphasises the importance of financial entities understanding and accounting for it when scenario planning.
There is also a vital need for financial entities to recognise interconnected risks between scenarios. This is where an incident sets a chain reaction of failures and risks. For instance, a significant cyber breach could lead to a third-party supplier's failure, which, in turn, may place a financial services business critical elements in detriment. Although industry-wide tabletop exercises take place to consider major risks like cyber incidents, they should also encompass interconnected risks like supplier failure and service deterioration to ensure a comprehensive approach to preparing for these scenarios.
Escrow solutions and verification testing are becoming an integral part of financial institutions' risk management and control strategies, often at the behest of global authorities. This shift is a response to the complex nature of assessing a supplier's risk profile, with escrow providing an all-encompassing solution.
Escrow agreements and verification services function as a type of technical insurance policy and business continuity strategy. Escrow is a tried and tested preventive, corrective, and detective control to reduce the ramifications of supplier failure, service deterioration, and concentration risk. Escrow solutions safeguard the long-term availability of business-critical technologies and applications while protecting intellectual property. These agreements serve several key functions, including:
Escrow agreements are technology-neutral, making them suitable for safeguarding any business-critical software or technology with a third party. This approach aligns with the trend of financial authorities worldwide, which increasingly promote escrow agreements as a core component of third-party risk management (TPRM) frameworks.
The ESA should strengthen the Regulatory Technical Standards by requiring the development of "stressed" exit plans. A stressed exit refers to terminating a contract due to the failure or insolvency of the service provider, making it more unexpected than a non-stressed exit, driven by commercial or strategic reasons.
Stressed exit strategies are vital components of business continuity plans, ensuring an entity's continued provision of critical services and mitigating the impact of disruption on the entity, its customers, and the broader financial market.
Various financial regulators such as the UK's Prudential Regulation Authority (PRA), already require financial institutions to develop stressed exit plans, and the ESA should follow suit.
The ESAs' consultation paper highlights the critical need for robust regulatory measures to bolster the digital operational resilience of the financial sector. Our proposed changes, ranging from supply chain risk regulation to the promotion of escrow agreements and stressed exit plans, support these aims, to protect the industry against potential disruptions and uncertainties, and ultimately safeguard financial stability.
Download our guide to learn:
