DORA – Navigating the EU’s Operational Resilience Landscape
The Digital Operational Resilience Act (DORA) is an EU regulation that entered into force on 16 January 2023 and will apply as of 17 January 2025.
It aims at strengthening the IT security of financial entities such as banks, insurance companies and investment firms and making sure that the financial sector in Europe can stay resilient in the event of a severe operational disruption.
DORA brings harmonisation of the rules relating to operational resilience for the financial sector applying to 20 different types of financial entities and ICT third-party service providers.
We had an interview with Gina Wee, CIO at Crown Jewels Consultants (CJC), the leading market data consultancy and professional services provider which has recently achieved the “Cyber Essentials” certification. The Cyber Essentials certification is a UK government-backed scheme to help organisations protect themselves against cyber-attacks. The certification process covers a range of technical controls, including secure configuration, access control, malware protection, patch management, and incident response. The Cyber Essentials certification is also relevant to the EU’s DORA regulation (Digital Operational Resilience Act), which aims to improve the digital operational resilience of financial institutions and their critical infrastructure providers. DORA requires relevant organisations to implement robust cyber security measures to safeguard and protect against cyber threats and attacks.
How does DORA approach the issue of third-party dependencies and outsourcing within the digital sector?
DORA places obligations and requirements on third-party ICT providers, emphasizing their operational resilience and security. It encourages the engagement of third-party ICT providers with a robust risk management framework, tested business continuity plan and appropriate levels of operational resilience that benefits the end users. DORA puts the onus on financial institutions to manage their suppliers more diligently across their supply chains to enhance overall financial system stability.
By requiring cybersecurity and operational resilience provisions in contracts with third-party ICT providers, DORA compliance means security standards and practices are part of standard operations. These provisions can cover regular collaborative testing of incident management procedures and business continuity planning (BCP) between financial institutions and their third-party ICT providers.
From the perspective of regulatory authorities, DORA empowers regulators with enhanced oversight and enforcement capabilities to monitor compliance with third-party risk management requirements. As a service provider, CJC has already created an enhanced risk management framework and invested in a platform that integrated our information security management system (ISMS) with our risk management tool.
In addition, supplier compliance with CJC’s data protection, resilience, BCP and reporting standards are mandatory requirements and suppliers who are not transparent with their policies and procedures will not be considered.
To comply with DORA’s standards with adequate levels of service and support, CJC anticipates an increase in client agreement provisions relating to cybersecurity, data protection, incident response, and business continuity. Client vendor management teams have increasingly scrutinized CJC’s ability to demonstrate compliance and appropriate risk management, likely due to our status as a critical supplier of business service offerings. Subsequently, the scope and depth of CJC’s internal audits and reporting procedures were reviewed and improved.
As Chief Information Officer at CJC, how does your organization perceive the implications of DORA for its operations and services within the European Union? What steps is CJC taking to prepare for compliance with DORA requirements and ensure operational resilience in accordance with the new regulations?
We embraced the announcement of DORA, spurring us to complete a comprehensive review of CJC’s critical functions and improve them. New regulations in countries where CJC operates are a welcomed reason to focus on our foundational tenets: infrastructure and access management, awareness training, supplier reviews, talent and capability resilience, internal audits, and testing (lots of testing!). To kick things off, we initiated a gap analysis and identified areas needing more work, primarily focusing on roles and infrastructure. The advent of DORA will tell us how well we have done with our operational investments and our commitment to proactively levelling up.
Our policies are reviewed regularly, but what we need to know as a second step is how well these policies are followed. This led to the creation of an internal auditing framework that reports to our Risk & Compliance team. Internal audits were conducted on CJC’s data, software, hardware, processes, logs and people, with changes made based on those findings. These audits were not a one-off effort but an ongoing necessity for information security and risk management. Subsequently, we appointed a DORA Risk Director who will focus on the implications of DORA while risk reviews are conducted.
Reviewing the roles and responsibilities of people in critical functions was key in identifying areas where further recruitment and training were necessary to increase skills or spread knowledge for operational resilience. CJC has the luxury of operating out of 4 global financial centres – Singapore, Hong Kong, New York City and London – and we want to ensure all of CJC’s critical services, internal and client-facing, can be independently provided from each office to fully maximise our strategic locations.
CJC has an ongoing push to automate tasks, which forces us to examine what we do and how. Automation improves reliability and resilience but there is a balance. We have to consider whether automation helps in a given scenario, or if it introduces too much risk of errors due to the complexity of the task. By automating as appropriate, manual workloads are being reduced, and CJC’s team members are gradually gaining more bandwidth to focus on value-added improvement projects.
Training was another area we wanted to expand on. CJC rolled out DORA training to all personnel globally to ensure a basic working knowledge of the regulation. People in roles that needed more specialised training (security, governance and business management) were enrolled on accredited courses operated by external providers. Even though CJC operates in multiple regions, we must all work seamlessly as a single global team so regardless of DORA’s scope, alignment across all regions is key.
Having implemented an infrastructure refresh over the last 18 months; CJC’s hardware and software were not areas for major changes. This meant the company was in a good position to invest more in CJC’s information security and cyber defence, increasing the resources in the SecOps team and expanding CJC’s InfoSec capabilities.
In addition, CJC’s IT team is increasing our infrastructure testing for CJC’s critical system’s resiliency. There is more to do and I’m very grateful for the team’s positive mindset and CJC’s commitment.
Can you discuss any potential challenges or opportunities that DORA presents for digital service providers, particularly in terms of enhancing cybersecurity and mitigating operational risks?
It took a fair bit of investment in time and money to address gaps in our operational resiliency well before DORA, and to bring CJC’s security standards to a level where we were confident of providing our services robustly in an unpredictable landscape. The first challenge is the initial transformation program costs to ensure operational resiliency. Putting together a comprehensive plan with concrete outcomes helps make a compelling proposal to stakeholders to invest in these changes. It is more challenging if a company must forgo business opportunities while projects are in the implementation phase. Cybersecurity and operational resilience influence all aspects of a company, so an assessment’s scope could be company-wide. The larger the scope, the more the subsequent transformation program could cost.
Improving security posture requires changes in corporate culture, not just infrastructure, if a security-minded culture is lacking. Changing how people work (processes, devices, access, etc.) and their perspective on cyber defence requires empathy and communication. We try to minimise disruption, but it is unavoidable, and a comprehensive communication plan is a mandatory workstream in all our projects – we want our colleagues to understand why decisions were made. People generally dislike having their access limited or increased monitoring of data movements. Ultimately, making changes for a stronger cybersecurity posture is a good opportunity, no matter the challenges.
For Digital Service Providers (DSPs) who rely on third-party vendors, extending the scope of compliance checks and risk management to the vendors is challenging. Even if the vendor and DSP both use the same security framework, differences in standards and policies are commonplace. We face similar challenges when re-negotiating agreements with vendors to ensure CJC’s standards are met. This becomes even more complex if a company leverages multiple vendors in different countries. At CJC, we have re-prioritised vendor requirements, placing more importance on their operational resilience and cyber security profiles. That is a DORA-initiated opportunity for increasing competitive advantage for DSPs who take the onset of this regulation as a stimulus to improve these areas.
Also, increasing the scope and frequency of testing CJC’s infrastructure by external parties was a challenging. We had to invest time and money, dealt with false alarms and other disruptions in our daily work. Then came the improvement projects stemming from the results, which required additional resources. However, the independent expert’s thorough check-up was an opportunity to learn and improve.
What role do you see DORA playing in fostering greater collaboration and information-sharing among digital service providers and regulatory authorities to mitigate cyber threats and operational risks?
An effective way to learn is from the experience and knowledge of others, and DORA is undoubtedly a catalyst for collaboration and information-sharing. Cyber threats are generally industry-agnostic, so sharing information between companies and industries has great value. For example, CJC is collaborating with its partners at a higher level than before. What started as a necessity has continued due to the tangible benefits that emerged, like improvements in our cyber security response playbooks.
Through closer collaborations and greater inter-organisation transparency, security incident management and data protection policies could become more standardised. We have also found that increased collaboration with our partners enhances trust and improves the overall business relationship.
Lastly, what advice would you offer to other digital service providers navigating the implementation of DORA and striving to enhance their operational resilience in compliance with the new regulations?
Sticking to the basics and running it like other transformation programs worked for us. It’s helpful to get a good understanding of the requirements and company obligations. A mistake we made in the early stage of the program was defining the scope too narrowly and had to re-assess the requirements.
After defining the scope and requirements, we conducted a gap analysis and risk assessment. With these reports, we engaged senior stakeholders to agree on an implementation plan that tackles the high-priority risks first. I find it easier to budget and maintain collective focus by breaking programs down into phases. Each phase could be a series of projects. Once completed, we allow a 3-6 months adjustment period before conducting another review of CJC’s operational resilience. Scenario testing was an effective way to understand the resilience of our operations during the reviews. The results of the reviews informed us of what we need to prioritise and improve next.
We also invested in technologies to help our internal teams collaborate on areas like our ISMS and service offerings. While this can be expensive, we saw long-term benefits in areas like reduced errors and less time spent in meetings, so it’s a route we will continue pursuing.
The DORA Risk Director I mentioned earlier helps maintain focus on DORA’s requirements as changes are made across the business. Though this is not a mandatory requirement by DORA, we find this role very useful.
When planning and implementing changes, we found it helpful to consider the impact of the changes on our colleagues. We spoke with teams to learn about the potential impacts before deciding on final solutions. Where feasible, we also conducted customised training for teams before major changes went live. Communicating regularly with ample preparation helped us navigate the changes together.