Preparing for DORA Step 5 - Engaging Third Party Providers to Ensure Compliance & Information Sharing

Written By Michael Faber

As discussed in a previous post there are five key parts to the DORA regulations that both European regulated financial service firms and those that supply them with services must comply with. We set out five areas for firms to focus on to prepare for the new regulatory regime:

      i.         ICT risk Management Frameworks.

     ii.         ICT-related incident reporting.

    iii.         Digital operational resilience testing.

    iv.         ICT third-party risk.

     v.         Information sharing. 

This post is the last of 5 that sets out five key steps that need to be taken to prepare for DORA compliance.

What is the impact of DORA on Third Party Service Providers?

Compliance with the DORA regime does not only apply to regulated firms. All suppliers that provide a critical service underpinning a regulated digital service offering are also caught in the scope of the regulations. By implication, this component of the preparation may therefore be the most challenging to implement. Many of these providers will never have faced regulatory scrutiny and the related disciplines before.

Service providers, notably cloud service providers, will be forced to comply with the regulations and face off to the regulator where they are deemed critical. Criticality will be determined on:

  • Substitutability: if there is a high dependence on the service and alternative equivalent services are not available, and by implication pre-tested, in the event of disruption.

  • Scale: If a significant number of financial service entities rely on the service.

Firms deemed critical will face direct oversight by the financial regulators and be required to specifically comply with the resilience and reporting regulations, with fines for non-compliance.

Even if a third party non-financially regulated service provider is not in the critical list there will be an obligation on the outsourcer to ensure that the regulations are met, and vice versa on the supplier to meet them.

What are the requirements of DORA on Third Party Service Provision?

Regulated financial firms will be required to understand their service landscape - we have already recommended accurate mapping of the services in a previous post. Armed with this mapping information the financial service firm will be required to demonstrate that their suppliers in the service chain, underpinning their business services to customers, are also meeting the DORA requirements.

Firms will need to assess their supply chain to ensure that the third parties are:

a.     Implementing appropriate risk frameworks and managing operational and resilience risk.

b.     Managing, monitoring and reporting operational threats and incidents.

c.     Mapping their own services dependencies and ensuring equivalent diligence on their own third party service supply chain to assure the end to end services.

d.     Planning and testing their service operational resilience and continuity in realistic stress scenarios.

Contractual frameworks for outsourced services will need to be reviewed and adapted to meet these requirements. Procurement processes in financial firms must be tightened to ensure that the right contractual conditions are applied to suppliers aligned to the regulations. As a consequence, supplier firms will need to evidence under the contract through appropriate information and reporting that they are meeting (a) to (d) listed above.

Financial service firms and their suppliers will need to work together to ensure the appropriate exchange of information on risks and threats combined with joint co-operation on preparing for disruption with appropriate plans and testing, including handling communications in the event of service disruption or data breaches.

See also our blogs on Third Party and Outsourcing – The Perfect Storm and The oversight of critical third parties

Information Sharing – is this a good idea?

DORA allows, but does not mandate, that financial entities are able to exchange and share information and intelligence about cyber threats, including experiences of compromise, tactics, tools, techniques, and procedures.

While often not shared previously, this voluntary sharing of information seems a positive approach to enhance protection and resilience across the industry but would need to be shared in trusted environments and in full respect of EU data protection rules.

This post completes our series on what firms can do to prepare for DORA compliance.

At Shapes First we work with firms so that they have the tools they need to manage their operational resilience in a commercially sensible way while all the time complying with their regulatory obligations. If you would like to hear more about what we can do to help you to implement DORA, please get in touch at info@shapesfirst.com

Michael Faber
Previous

Consumer Duty: Four months from the implementation deadline. Is your firm ready?
Next

Preparing for DORA step 4 - Planning and Testing Operational Resilience and Service Continuity