Preparing for DORA step 4 - Planning and Testing Operational Resilience and Service Continuity
As discussed in a previous post there are five key parts to the DORA regulations that both European regulated financial service firms and those that supply them with services must comply with.
i. ICT risk Management Frameworks.
ii. ICT-related incident reporting.
iii. Digital operational resilience testing.
iv. ICT third-party risk.
v. Information sharing.
This post is the fourth of 5 that will set out five key steps that need to be taken to prepare for DORA compliance.
What is the DORA requirement for Operational Resilience Planning and Testing?
DORA places specific requirements on planning and testing for resilience and on the assurance of service continuity plans. It requires clear monitoring of ICT third-party risk.
Firms will need to review and assess their response and recovery strategies to align to the regulations. An early gap analysis will indicate gaps in the crisis management framework, and continuity & resilience plannings against the regulatory requirements that can be rectified. Most firms will already have in place policies and procedures in these areas; however, the regulations require firms to focus on the resilient provision of their key services to customers, with a focus on the entire end to end service provision.
DORA places a specific requirement on firms to ensure the frequent review and assurance through testing of this crisis management and resilience framework. The testing must prove the firm’s ability to maintain service in the event of a threat materialising and prove the crisis management frameworks are effective. Firms will need to review their testing policies and methodologies and consider enhancing the related procedures and tools to reach compliance.
One piece of good news is that the standardisation of requirements for planning and testing for resilience aims to reduce the complexity and compliance cost of financial entities, notably where they have a presence in multiple EU jurisdictions, which may ultimately save some costs.
What are the DORA requirements for Cyber Penetration Testing?
A specific requirement in the regulations requires firms to undertake regular Threat-Led Penetration Testing. Most firms will want to engage with, and have the assurance of, third party specialist providers to lead this kind of testing effort.
Threat-Led Penetration Testing is not a new requirement; it has already been encased in previous EU regulations by many of the regional regulators, notably around financial service infrastructures. The requirements build on previous standards encouraged by the European Central Bank (ECB). DORA expands the requirement to apply to a wider set of entities and brings a more harmonised EU approach and standards.
Look out for our final publication about engaging third-party providers – another of the five key areas of DORA
At Shapes First we work with firms so that they have the tools they need to manage their operational resilience in a commercially sensible way while all the time complying with their regulatory obligations. We have already supported firms with the implementation of the regulations that came before and work with a partner firm to deliver process and resource mapping via a platform enabling firms to derive business benefit from the information captured. This includes using the mapping tool during scenario exercises and as part of incident management. If you would like to hear more about what we can do to help you to implement DORA, please get in touch at info@shapesfirst.com