Preparing for DORA - Lessons on Financial Resilience from the Recent IT Outage

With firms preparing for DORA (Digital Operations Resilience Act) to officially take effect in January 2025, the recent CrowdStrike outage, caused by a faulty software update and crashing millions of IT systems across various industries, highlights the importance of preparedness and resilience for financial services firms. DORA aims to enhance industry resilience against ICT disruptions, including cyber threats and software malfunctions. The act will apply to financial services firms, including credit institutions, EMIs, investment managers, insurance companies, AIFMs, VASPs, and others, as well as to third-party ICT providers, such as software providers, data analytics providers, and data centres.

It covers five main pillars:

1. ICT (Information and Communication Technology) Risk Management -requiring firms to have a comprehensive approach to managing ICT risks.
2. Governance and Oversight – requiring firms to have a strong governance framework and oversight of ICT risk management.
3. Third-Party Vendor Risk Management – requiring firms to maintain strict oversight of third-party vendors for critical IT services.
4. Incident Reporting – requiring firms to have strict reporting standards for ICT-related incidents to relevant authorities.
5. Testing and Continuous Improvement – requiring firms to implement regular testing of ICT systems and incident response plans to identify vulnerabilities and ensure effective risk management.

Looking at the CrowdStrike incident, firms that are compliant with the new DORA regulations would have been more equipped to handle the outage effectively, due to their robust frameworks and proactive risk management strategies. With stricter oversight of third-party risk management, thorough testing protocols for software updates, and well-developed disaster recovery and incident response plans, these firms could have mitigated or even prevented the major disruption.

From our conversations with risk professionals, we’ve found that many firms believe they are well-resourced and nearly ready for the new regulations to take effect. However, this has increased the workload for both Junior and Mid-Senior Risk professionals, who often juggle operational resilience duties alongside their regular risk responsibilities or are focused solely on resilience at the expense of their day-to-day risk duties. Additionally, there are concerns that maintaining and overseeing these frameworks could become problematic in the future, as there has not been sufficient buy-in for building out specialised teams.

Advice to Clients

It is crucial for firms to recognise the value of the DORA regulations and the potential benefits of compliance. Resources should be effectively allocated and, if necessary, enhanced to meet the requirements. Implementing the frameworks is just the beginning; ongoing oversight and monitoring are key to success. The increased accountability that the regulations bring will help ensure long-term resilience and effectiveness. Preparing for DORA is not a ‘quick-fix’ but a long-term commitment to continuous improvement and future-proofing your operations.

If you require guidance regarding your ongoing resource planning and addressing the ongoing demands, please get in touch with Consultant, Eoin Hurley Hurley at [email protected] or at +353 86-067-6377.