In response to increasing numbers of cyber-attacks testing the resilience of the European financial system, the European Union (EU) Parliament passed legislation in 2022 to strengthen the IT security of financial entities such as banks, insurance companies, and investment firms. The Digital Operational Resilience Act (DORA) is designed to ensure that the European financial sector is able to maintain resilience during severe operational disruptions.
DORA creates a regulatory framework for digital operational resilience in the financial sector whereby all firms must confirm that they can withstand, respond to, and recover from a wide range of ICT disruptions and cyber threats. The Act sets uniform requirements for the security of network and information systems. It spells out requirements in Chapter V for critical third parties that provide information communication technologies (ICT) services, such as cloud platforms or data analytics services, to the financial services industry.
This post examines key DORA articles related to third parties and identifies best practice capabilities that can be used to address DORA Chapter V requirements.
The DORA Third-Party Compliance Checklist
This comprehensive checklist examines key articles in DORA Chapter V: Managing of ICT Third-Party Risk and provides guidance for meeting the requirements.
DORA Chapter V reviews the required controls and processes in Section I and the oversight mechanisms for a regulatory regime in Section II.
Section I: Key Principles for a Sound Management of ICT Third-Party Risk aims to ensure that financial entities appropriately manage and mitigate risks stemming from their use of ICT services provided by third parties. A summary of these requirements is included below.
Financial entities are required to assess risks related to ICT third-party providers. This includes evaluating potential operational risks, concentration risks, and systemic risks. Organizations must take into account the criticality of the services provided. The degree of risk management and oversight is expected to be proportional to the criticality and potential impact of the third-party ICT service on the financial entity. This is known as the Proportionality Principle.
Financial entities must conduct comprehensive due diligence before entering into contracts with third-party ICT service providers. This assessment should include the provider’s ability to deliver services reliably, securely, and in line with regulatory expectations. After the contract is signed, continuous monitoring is required to ensure that third-party providers maintain the expected level of operational resilience, including their compliance with security standards.
Contracts between financial entities and third-party ICT service providers must include detailed provisions on risk management, ensuring the provider’s accountability in mitigating risks and providing operational continuity. Contracts should also include clauses on termination rights, allowing the financial entity to exit the relationship if the third party fails to comply with regulatory or operational resilience requirements. Financial entities must have documented and rehearsed exit strategies for critical ICT services, enabling them to maintain operational resilience if a key service provider is no longer available.
Financial entities must monitor concentration risks related to ICT third-party providers, especially when only a few providers dominate the market. Organizations must develop contingency plans to address potential disruptions caused by such concentration. To mitigate concentration risks, entities are encouraged to diversify their ICT service providers wherever possible.
Financial entities must maintain a register of all ICT third-party providers and services, which includes details about the contracts, criticality of the services, and risk assessments. This register must be regularly updated and made available for regulatory reviews.
DORA requires financial entities to test their ICT third-party providers’ operational resilience capabilities. This involves conducting simulations or stress tests to assess how well the third party would handle a major disruption or cyberattack.
If a third-party ICT provider subcontracts parts of the service, the financial entity must ensure that the subcontractor is also subject to the same standards of due diligence, monitoring, and risk management.
Financial entities are encouraged to analyze different third-party risk scenarios, such as cyberattacks or large-scale outages, and develop recovery and contingency plans for such events.
Section II: Oversight Framework of Critical ICT Third-Party Service Providers establishes rules and requirements regarding the supervision and regulatory oversight of critical ICT third-party service providers (CTPPs). It includes the appointment of a Lead Overseer to supervise the provider’s risk management and resilience practices, authority to conduct inspections and resilience testing, and requirements for reporting incidents and corrective measures.
DORA introduces direct oversight mechanisms for critical ICT third-party providers, requiring them to comply with additional reporting and operational resilience standards. The goal is to ensure that these critical ICT providers uphold high standards of operational resilience and contribute to the overall stability of the financial system.
eBook: 25 KPIs and KRIs for Third-Party Risk Management
The 25 Most Important KPIs and KRIs for Third-Party Risk Management will put you on the path to more effective communication regarding your TPRM program.
Chapter V, Section I, Articles 28-30 of the Digital Operational Resilience Act (DORA) establishes several requirements aimed at ensuring that financial entities appropriately manage and mitigate risks stemming from their use of information and communication technology (ICT) services provided by third parties. These are the practices that TPRM professionals would need to implement to meet the regulatory oversight requirements in Section II.
However, it is impossible to adequately assess, continuously monitor, and manage third-party adherence to DORA requirements using manual, spreadsheet-based risk assessment methods. Prevalent can help.
The Prevalent Third-Party Risk Management (TPRM) Platform is a central, automated solution for assessing, monitoring, and managing third-party service provider risk in concert with your broader cybersecurity and enterprise risk management program. With Prevalent, your team can:
For more on how Prevalent can simplify DORA third-party risk management compliance, download our complete DORA Third-Party Risk Management checklist or request a demonstration today.
Leverage these best practices to address NIS2 third-party risk management requirements.
12/03/2024
Ask your vendors and suppliers about their cybersecurity risk management, governance, and incident disclosure processes to...
10/24/2024
Enhanced cybersecurity supply chain risk management guidance has arrived with the final NIST CSF 2.0. Check...
09/25/2024