Malta: The Digital Operations Resilience Act- Dr Ian Gauci
Introduction
The Digital Operations Resilience Act (“DORA”) and the Network and Information Security Directive 2 (“NIS2”) are two new pieces of European Legislation which, alongside the Cybersecurity Act and the upcoming Cyber Resilience Act, will completely alter the financial services industry.
DORA has the potential of changing the financial services industry as the act will compel licensed entities and their management, who retain ultimate responsibility, to fully comprehend how their IT systems function when it comes to:
- Operational resilience;
- Cyber 3rd party risk management practices impact on the resilience of their critical functions; and
- The development of operational resilience capabilities, which in certain cases would also include advanced scenario testing methods.
DORA, which came into force on the 16th of January 2023, will be applicable to the respective financial entities within 24 months from this date. Financial entities have a short implementation period in order to make sure they are complaint with DORA, during which they should also be vigilant and follow the Regulatory Technical Standards (“RTS”), as these may be implemented in accordance to the same act.
Before delving into some of the most salient points, it must be stressed that DORA has more to it than simply being the first harmonised operational resilience obligation in the financial services sector. Similar to the General Data Protection Regulation (“GDPR”), DORA introduces more accountability as well as an outcome based approached regulation. It also puts more responsibility to the higher management and board of directors of the organisation, as it pushes management to be responsible for and assume that severe disruptions are unavoidable while simultaneously incentivising them to build a higher level of resilience to such disruptions into their operating model of their most important services or functions.
What is DORA and what does it capture?
DORA forms part of the EU’s ‘Digital Finance Package’ and it aims to develop a holistic European approach to digital finance that fosters technological development and ensures financial stability and consumer protection. The Act seeks to align national rules with operational resilience and cybersecurity regulation across the EU by establishing uniform requirements for the security of network and information systems of companies and organisations operating in the financial sector, which include:
Credit institutions |
Crypto-asset service providers
|
Trade repositories
|
Insurance, re-insurance and ancillary insurance intermediaries
|
Administrators of critical benchmarks
|
Payment institutions
|
Central securities depositories
|
Managers of alternative investment funds and management companies
|
Institutions for occupational retirement pensions
|
Crowdfunding service providers
|
Electronic money institutions
|
Central counterparties
|
Data reporting service providers
|
Credit rating agencies
|
|
Investment firms
|
Trading venues
|
Insurance and reinsurance undertakings
|
Statutory auditors and audit firms
|
|
DORA will also target Critical ICT Third Party Service Providers which provide services related to information technologies, such as cloud platforms and payment gateways to Financial Entities, under the Act’s regulatory capture pursuant to a newly established Oversight Framework.
ICT RISK MANAGEMENT
In addition, DORA covers these areas of ICT risk management:
- Risk management, setup and maintenance of resilient ICT systems and tools to identify and minimize ICT risk on a continuous basis, set up protection and prevention measures, and establish dedicated comprehensive business continuity policies and disaster recovery plans.
- Incident reporting, as well as the establishment and implementation of management process that monitor, classify and report major ICT-related incidents as soon as they occur. This also includes reporting vulnerabilities to respective regulatory bodies, clients, counterparts and the public.
- Digital operational resilience testing and testing of the operational resilience of capabilities/functions included in the ICT risk management framework which would include:
- Gap analyses;
- Vulnerability assessments;
- Scenario-based tests;
- Compatibility testing;
- Testing and analyses of performance on software solutions and source codes;
- Penetration testing; and
- Network and physical security reviews to identify weaknesses, gaps, or shortcomings.
- Periodical assessments, monitoring and documenting of ICT third-party risk, which covers, among other things, a coherent outsourcing policy and review of ICT third-party contracts.
Accountability and Outcome based Approach
The compliance factor will undoubtedly require a shift in the mindset of the management and board of directors of financial institutions, as they must be prepared for broader responsibilities, liabilities as well as strategic implications when DORA is soon in full effect.
DORA shifts the current regulatory practice away from the ‘pure ex-post enforcement approach’ solely based on deterrence, towards more of an ‘outcome-based approach’ that stems from both organisational responsibility and accountability. The idea behind requiring companies to have internal compliance and accountability programs largely began in the U.S., where enforcement agencies were given the ability to lower fines for organisations that had compliance mechanisms in place during the late 1970s. The approach has also been embraced by enforcement authorities outside the U.S., like the Australian Competition & Consumer Commission’s compliance objectives and France’s anti-corruption agency, which promotes good practices that include elements of accountability that, in case of infringement, may be taken into consideration. The UK also adopted this approach through its Bribery Act guidance notes by including principles aligned with organisational accountability as well as European regulations like the GDPR. The latter, aside from accountability, also embraces the ‘outcome-based approach’ as seen in Article 83.2, as it specifically directs the Data Protection Authority to consider certain accountability measures when determining whether to impose an administrative fine and when deciding on the amount of a fine.
To a certain extent, Article 51 of DORA could also cover some of the criteria covered in Article 83.2 of the GDPR, as its states that:
Art 51 (2): Competent authorities, when determining the type and level of an administrative penalty or remedial measure to be imposed under Article 50, shall take into account the extent to which the breach is intentional or results from negligence, and all other relevant circumstances, including the following, where appropriate:
(a) the materiality, gravity and the duration of the breach;
(b) the degree of responsibility of the natural or legal person responsible for the breach;
(c) the financial strength of the responsible natural or legal person;
(d) the importance of profits gained or losses avoided by the responsible natural or legal person, insofar as they can be determined;
(e) the losses for third parties caused by the breach, insofar as they can be determined;
(f) the level of cooperation of the responsible natural or legal person with the competent authority, without prejudice to the need to ensure disgorgement of profits gained or losses avoided by that natural or legal person;
(g) previous breaches by the responsible natural or legal person.
The principle of accountability under the Act is also coupled with direct responsibility. According to DORA, the managing body of the financial institution shall define, approve, oversee and be responsible for the implementation of all arrangements related to the ICT risk management framework and shall also be empowered to have an effective control function. Financial institutions will also bear the ultimate responsibility for managing the institution’s ICT risk.
The approach to be taken by managing bodies should not only focus on the means of ensuring the resilience of the ICT systems but should also cover people and processes through a set of policies which cultivate, at each corporate layer and for all staff members, a strong sense of awareness about cyber risks and a commitment to observe a strict ‘cyber-hygiene’ at all levels. The same management body would also need to have a specific plan and the required investments to actively keep up to date with sufficient knowledge and skills to understand and assess ICT risk and its impact on the operations of the financial entity, including by following specific training on a regular basis, commensurate to the ICT risk being managed.
Financial institutions shall also ensure an appropriate level of independence of such control function for the purpose of avoiding conflicts of interest and shall also ensure appropriate segregation and independence of ICT risk management functions, control functions, and internal audit functions. The financial entities’ management bodies should be required to maintain a pivotal and active role in steering and adapting the ICT risk management framework and the overall digital operational resilience strategy.
In the instances where DORA affords a level of exemption and a simplified ICT risk management framework, financial institutions are still obliged to minimise risk and impact on ICT risks as well as to have an ICT management policy, amongst others. DORA also moves towards a reality where the organisations and operators having regulatory capture will be required to do impact assessments to predict, contain and restrict any ICT incident.
The principle of the managing body’s ultimate responsibility for the management of ICT risks of the financial institution also goes hand-in-hand with the requirement to secure a degree of ICT–related investments and an overall budget for the financial institution that would enable said institution to achieve a high level of digital operational resilience. This obligation is not something to be taken lightly. For the purposes of implementation, a financial entity will be required to integrate digital operational resilience as a key driver of its main business functions and decisions for its operating model. This results in both directors and the management needing to comprehend the technology, business and risks of resilience capabilities and ICT risks related to its business. In addition, they must assess these risks pre-emptively and create a model to assess the required investment in resilience capabilities and also be able to articulate how these investments (or lack thereof), will cover impending ICT risks whilst also being extremely vigilant on how the respective regulatory authorities might interpret the efficacy and the proportionality principles pursuant to the same Act.
Conclusion
DORA, will force financial institutions and their management to consider ICT related risks as a dynamic part of their existence where they should do their utmost to mitigate and reduce this risk throughout their existence as reasonable and prudent operators. The Act as an ‘outcome-based’ regulation, not only imposes specific obligations and processes (rule-based approach), but also focuses on principles and the results which the legislator aims to achieve, and amplify upon ( example trough RTS) with the ultimate focus being the safety of the financial services industry, its members and users, and the prevention and mitigation of cyber threats.
One could also go as far as saying that its foundational in nature in the financial services realm, as it will transform business practices as well as the ICT compliance and mitigation cultures of the industry. The transition for some of the financial institutions will not be clear cut.
***