Part 3. Getting in on the (Digital Operational Resilience) Act

My POV on Regulations, Regulators, and becoming more Operationally Resilient.

Overview

Industry observers are noticing the growing sense of urgency coming from Financial Services since the arrival of DORA and as we get closer to the 2025 implementation date.?

Thankfully, some of the core drivers for the Act are already being tackled by FSI firms through their evaluation of their Operational Resilience and the strengthening of their security posture.

Systemic impacts on data centres and externally hosted applications, whether man-made or force majeure, have raised threat levels exponentially in recent years. All of this is before the increased sophistication of cyber-crime, ransomware, and bad-faith state actors with nefarious intentions.

Regulators are having to think and act differently about how financial entities achieve huge processing volumes and the ever-increasing use of ICT Third-Party Service Providers.?

One category of ICT Third-Party Service Provider that receives a lot of attention (especially in the media) is the Cloud Service Provider, particularly Hyperscalers. This is not just due to the concentration risk of all metaphoric eggs in one basket, but the systemic concentration risk of too many eggs from too many FSIs in one place. It is abundantly clear that the hyperscalers have implemented technological capabilities to minimise the impact of such risks materialising. However, the onus of the regulation is for FSIs to demonstrate that they can move unhindered if they choose to for contractual reasons, not just technological ones.

There is so much to think about, and there is no one-size-fits-all approach to being compliant. Regulators, financial entities, and ICT Third-Party Service Providers won’t have a comprehensively clear and proven view of what the new compliance benchmark might be. At least not straight away, although they have laid the foundation to go deeper through direct interaction with the?critical subset of vendors and wider with the rest.

Within the scope of DORA, the new reporting templates are being developed and the industry is being asked to share their opinion on the proposals. Getting unambiguous and easy-to-understand-and-use templates will pay dividends. There will be a desire to over-engineer the templates so that the information gathered provides rich and consistent detail for the Regulators. At the same time, those creating the reports will want their systems to automate as much as possible to make the manual effort proportionate to the reason for reporting. To my mind, this necessary formality has the potential to be a game changer.

In my time, I have worked with many Regulators in many jurisdictions. There tend to be a lot of questions, and every answer has the potential to spawn multiple additional queries. Whilst there is a preference to stick to the facts and only provide what’s requested, the value often comes from the nuance. Ultimately, yes, the regulator has the ability to invoke recourse action, but keeping dialogue open, honest, and mutually helpful can go a long way in building trust ahead of those trickier conversations in the future.

Standards and templates aside, demonstrable observability will be key, and the onus for this will sit with financial entities to either provide directly or gather from their ICT Service Providers. They’ll require documentary evidence that they’re following processes to the letter so that they can be proactive in communicating issues to Regulators. Sorry to say, nobody likes a regulatory surprise!?

What the Act says

It’s worth remembering that standard and consistent forms of reporting are a benefit for all parties (FSI, ICT Providers, Regulators, and even customers). The requirements of the Act will now extend beyond the ‘traditional’ perimeter of financial institutions (e.g. credit institutions, payment and electronic money institutions, and investment firms) as new digital businesses and models continue to appear.

The Act itself states:?

• Financial entities shall report at least yearly to the competent authorities on the number of new arrangements on the use of ICT services, the categories of ICT third-party service providers, the type of contractual arrangements and the ICT services and functions which are being provided.
• Financial entities shall make available to the competent authority, upon its request, the full register of information or, as requested, specified sections thereof, along with any information deemed necessary to enable the effective supervision of the financial entity.??
• Financial entities shall inform the competent authority in a timely manner about any planned contractual arrangement on the use of ICT services supporting critical or important functions as well as when a function has become critical or important.?

There is nothing to fear from the above, it’s the standard operating procedure for Regulators and mostly standard practice for Financial entities for risk assessment too. The difference will be the formality and the templates to be used. I have always tried to humanise this, after all, your regulator/supervisor has a duty to ensure the prudential running of the financial system. If something goes wrong on their watch, there will be repercussions for them too. It's always worthwhile considering that perspective.?

I liken the regulator’s role to the 4th Line of Defence in the 3 Lines of Defence model. Similar to External Auditors, they don’t want to miss anything, and they have to challenge and probe to get all the necessary information to make an assessment. Their involvement can enhance transparency, accountability, and confidence in the organisation's risk management efforts and therefore the strength of the whole industry.

I have covered a lot here about standards, templates, and monitoring but with DORA these competent authorities will also be looking for proof of risk management practice, risk assessment, testing and proving recovery from both the FSI and the ICT Service Providers, with even more scrutiny of those deemed ICT Critical Service Providers.

Over the coming weeks and months, I predict regulatory compliance officers and risk officers from FSI will be in hot demand. Not just to help FSIs in their DORA compliance but increasingly to help ICT Service Providers in their interpretation and compliance too.?Knowing the way that the Regulators work and operating at their level, to their agenda, will reduce friction and go a long way to helping everyone drive DORA compliance.

?I’ve referenced my thoughts on Operational Resilience as a full-contact team sport in earlier blogs. So, in that vein, we could view Regulators as Video Assistant Referees (VAR). They are trying to ensure that everyone taking part is doing so within the rules of the game and without any inconsistencies or even cheating! And, whilst not everyone loves VAR, they fundamentally make the game fairer!?

But there is more to it and perhaps a more apt sporting analogy for DORA and the Regulators would be Formula 1 racing. It’s a high-speed, technical pursuit engaged in by elite teams with significant expertise behind the scenes, at the trackside, as well as driving the car itself. And keeping things safe and controlled are the race officials (Regulators in a DORA context) who monitor and govern the whole race carefully to ensure everyone on the track is doing the right thing, and even proposing changes to the rules for future races.

Conclusion?

By now, I hope you know that at VMware, we are big proponents of good Operational Resilience. We have tools, products, services, and enterprise know-how to help you improve your Operational Resilience with DORA compliance in mind. I believe if you embrace your compliance journeys, you will be among the ones we don't get to read about in the news for all the wrong reasons.?

Dare I ask…as a regulator, what are your thoughts here?

What 'by the way...' conversation would you be looking to have with me if I went back to the buy side? :-)??

Whether you agree or not, I would love to hear your thoughts and perspective.