Understanding the Fifth Chapter of DORA

The Digital Operational Resilience Act (DORA), introduced by the European Union, is a critical piece of legislation designed to strengthen the operational resilience of financial entities in the face of growing digital threats. Within this framework, Chapter 5 stands out as a key component, focusing specifically on the oversight of third-party Information and Communication Technology (ICT) service providers. This chapter is crucial as it ensures that the external partners financial entities rely on are held to the same stringent standards of security and resilience as the entities themselves.

The Oversight Framework for ICT Third-Party Providers

Chapter 5 of the DORA Act is dedicated to the establishment of an oversight framework for critical ICT third-party service providers. These providers, which supply essential services to financial institutions, play a vital role in the sector’s digital infrastructure. Given their importance, the DORA Act mandates that these third-party providers are subject to strict oversight to ensure they adhere to the necessary security and resilience standards.

Key Provisions:

  1. Oversight Authority: Chapter 5 empowers designated oversight authorities to monitor and assess the activities of critical ICT third-party providers. These authorities are responsible for ensuring that these providers comply with the same operational resilience standards required of financial entities.
  2. Risk Management Requirements: Third-party providers must implement robust risk management practices. This includes identifying and mitigating potential risks that could impact the services they provide to financial entities. The providers are expected to have security measures that are at least equivalent to those of the financial entities they serve.
  3. Right to Audit: Financial entities are granted the right to audit their critical ICT third-party providers. This provision ensures that financial entities can verify that the third-party providers are meeting the required standards. The audits can include reviewing security controls, resilience measures, and any incidents that may have affected service delivery.
  4. Self-Assessments: ICT third-party providers are required to conduct regular self-assessments of their security and resilience measures. These self-assessments help in identifying any gaps or weaknesses in their systems, allowing them to take proactive steps to address these issues.
  5. Audit Reports: Financial entities can request audit reports from their ICT third-party providers, including SOC II Type 2 reports and Information Security Management System (ISMS) Statements of Applicability (SoA). These reports provide an in-depth look at the provider’s controls and practices, giving financial entities greater assurance of their reliability.
  6. Enforcement and Penalties: The oversight authorities are empowered to take enforcement actions if third-party providers fail to meet the required standards. This can include penalties, restrictions on services, or other measures designed to protect the integrity of the financial sector.

 

Practical Implications for Businesses: Managing Third-Party ICT Risk

The requirements outlined in Chapter 5 have far-reaching implications for both financial entities and their ICT third-party providers. The chapter’s focus on third-party risk management underscores the importance of ensuring that external service providers are as secure and resilient as the financial institutions they support.

  1. Strengthening Third-Party Risk Management:

Financial institutions must enhance their third-party risk management strategies to comply with Chapter 5. This involves not only selecting ICT service providers that meet high standards of security and resilience but also continuously monitoring and assessing these providers. Regular audits and assessments become essential tools in this process, allowing financial entities to verify that their providers are maintaining the required standards.

  1. Ensuring Compliance through Audits:

The right to audit, as granted under Chapter 5, is a powerful tool for financial entities. By conducting audits, financial institutions can gain direct insights into the security and operational practices of their ICT third-party providers. These audits should be thorough, covering all aspects of the provider’s operations that could impact the financial entity. This includes reviewing security controls, incident response plans, and business continuity measures.

  1. Leveraging Self-Assessments and Audit Reports:

ICT third-party providers are expected to conduct regular self-assessments and provide detailed audit reports upon request. Financial entities should actively seek these reports, as they offer valuable information on the provider’s adherence to security and resilience standards. Specifically, SOC II Type 2 reports and ISMS SoA documents are crucial as they outline the provider’s control environment and how it aligns with industry standards.

  1. Enhancing Governance and Oversight:

For financial entities, Chapter 5 emphasises the need for strong governance over third-party relationships. Senior management and boards of directors must be involved in overseeing third-party risk management activities. This includes reviewing audit findings, assessing the effectiveness of third-party controls, and ensuring that any identified risks are promptly addressed.

  1. Preparing for Regulatory Scrutiny:

Given the oversight powers granted to regulatory authorities under Chapter 5, both financial entities and their ICT third-party providers must be prepared for potential scrutiny. This includes having all necessary documentation and evidence of compliance readily available. Providers should be ready to demonstrate their adherence to the required standards, while financial entities must ensure they have conducted sufficient due diligence on their providers.

 

Steps to Ensure Compliance with Chapter 5

To effectively meet the requirements of Chapter 5, financial entities should consider the following steps:

  1. Understand the Criteria: The European Supervisory Authorities (ESAs) have specified criteria for designating ICT third-party service providers as critical, which includes: systemic impact of a failure; the importance of the functions supported; and the number of important institutions relying on the provider.
  2. Gain assurance from ICT third-party providers: Financial entities must ensure that their ICT third-party providers comply with DORA’s requirements. This includes managing ICT risks, ensuring continuity and recovery, and reporting incidents2.
  3. Consider Oversight Fees: The ESAs have also proposed oversight fees for critical ICT third-party providers, which are calculated based on the turnover of the critical ICT third-party service provider. These fees cover the costs of monitoring and ensuring compliance.

 

Meet Our Leadership Team.

At CRMG, our senior leadership team brings a rich history and deep expertise in cyber security. Spearheaded by consultants who are influential figures in the industry, our leaders are highly networked and well-established, with backgrounds in the ‘Big- Four’ firms.

LEARN MORE

Simon Rycroft

CO-FOUNDER AND CEO

Former Head of Consulting at the ISF. On a journey to bring accessible risk management to growing enterprises.

Nick Frost

CO-FOUNDER AND CHIEF PRODUCT OFFICER

Former Group Head of Information Risk, PwC. Motivated by the need to implement cyber risk principles for the real world!

Dan Rycroft

DELIVERY DIRECTOR

Former Head of Delivery, Cyber Security at DXC. Delivers risk-based cyber security programmes with maximum efficiency.

Matt Brett

DELIVERY LEAD – CYBER RISK SOLUTIONS

Former Portfolio Director, Tech Security & Risk, GSK. Specialises in implementing efficient, pragmatic cyber risk solutions.

Martin Tully

DELIVERY LEAD – GOVERNANCE AND COMPLIANCE

Twenty years’ experience in delivering fit-for-purpose cyber governance initiatives.

Louis Head

CONSULTANT – GOVERNANCE AND COMPLIANCE

An expert in everything ISMS-related, and how compliance works in practice.

Guy Asch

COMMERCIAL DIRECTOR

A seasoned Commercial Director, driving P&L business leadership through innovative strategies.

Ryan Hides

DELIVERY LEAD – THIRD PARTY RISK MANAGEMENT

Project Management and Six Sigma expertise. Specialises in turning effective third party risk management into a scalable reality.

Sarrah Ahmed

HEAD OF MARKETING

Bringing over 17+ years of marketing expertise, passionate about crafting innovative marketing campaigns.

Understanding the Fourth Chapter of DORA

The fourth chapter of the Digital Operational Resilience Act (DORA) is designed to ensure that financial entities can withstand, respond to, and recover from all types of ICT-related disruptions and threats. Chapter 4 of DORA, titled “Information and Communication Technology (ICT) Risk Management,” is particularly critical as it lays out detailed requirements for the ICT risk management framework that financial entities must implement.

Overview

Chapter 4 of DORA mandates that financial entities establish and maintain robust ICT risk management frameworks. These frameworks should be integrated into the overall risk management system of the entity and should address all ICT-related risks comprehensively. The chapter outlines several key components that these frameworks must encompass:

  1. Governance and Organisational Structure
  2. ICT Risk Management Process
  3. Information Security Requirements
  4. ICT Incident Management, Classification, and Reporting
  5. Digital Operational Resilience Testing
  6. Management of ICT Third-Party Risk

Each of these components is designed to ensure a comprehensive approach to managing ICT risks, emphasising both preventative and reactive measures.

 

Governance and Organisational Structure

Implication: Financial entities must have a clear governance and organisational framework where ICT risk management is integrated at all levels in the organisation. This includes assigning specific roles and responsibilities for ICT risk management.

CRMG Recommendation: Effective governance and organisational structure are interdependent. A well-defined organisational structure supports good governance by providing assurance that roles and responsibilities have been clarified, ensuring accountability, and providing the most effective environment for effective decision-making.

 

ICT Risk Management Process

Implication: Entities need to identify, assess, monitor, and manage ICT risks continuously. This requires a systematic process that is well-documented and regularly reviewed.

CRMG Recommendation: Implementing a consistent approach to ICT risk management throughout the organisation, especially one that directly links threats to controls, will enable the organisation to understand, prioritise and address the relevant ICT risks.

 

Information Security Requirements

Implication: Ensuring the confidentiality, integrity, and availability of information and ICT systems is crucial. This includes implementing robust cyber security measures and maintaining a secure ICT environment.

CRMG Recommendation:  By focusing on these three attributes of information when implementing cyber security measures, organisations are in a better position to protect their data from unauthorised access, fraud, and also ensure it is available when required.

 

ICT Incident Management, Classification, and Reporting

Implication: Financial entities must have procedures to detect, manage, and report ICT incidents promptly. This includes classifying incidents based on their severity and impact.

CRMG Recommendation: Detecting potential incidents early, and prioritising responses so that the most critical incidents receive immediate attention are techniques that will help organisations utilise their resources to deal with ICT incidents as efficiently as possible.

 

Digital Operational Resilience Testing

Implication: Entities are required to perform regular resilience testing to ensure their ICT systems can survive various types of disruptions. This includes vulnerability assessments, penetration testing, and other forms of resilience testing.

CRMG Recommendation:  Regular resilience testing includes a wide range of techniques such as Disaster Recovery Testing, Load Testing, Failover Testing and Incident Response Testing. Threat-Led Penetration Testing (TLPT) is a particular area of focus under DORA as certain financial entities are required to conduct TLPT at least every three years to ensure their ICT systems can withstand sophisticated cyber threats.

 

Management of ICT Third-Party Risk

Implication: Managing risks associated with third-party ICT service providers is critical. Financial entities must ensure that their third-party providers adhere to the same high standards of ICT risk management as their own.

CRMG Recommendation: Third parties and the contracting financial entity must work very closely together to ensure the requirements of DORA are met and that all information for the Lead Overseer is available when they conduct off-site investigations, on-site inspections, and continuous monitoring.

 

By mandating standardised procedures and regular assessments, DORA aims to enhance the overall resilience of the financial sector against digital threats. Chapter 4 of DORA provides a comprehensive framework for managing ICT risks in the financial sector.

The practical implications and recommendations discussed in this article aim to guide financial entities in implementing effective ICT risk management frameworks, ensuring not only compliance with DORA but also the security and stability of their operations in an increasingly digital world.

Understanding the Third Chapter of DORA

As we continue with our analysis of the Digital Operational Resilience Act (DORA), Chapter 3 stands out as a pivotal component in shaping the operational resilience framework for financial entities across the EU. For those who have been following our series, we’ve already explored the foundations laid out in Chapter 1 and the specific incident managements requirements highlighted in Chapter 2. This article explores Chapter 3, focusing on digital operational resilience testing requirements.

Chapter 3: What is it?

Chapter 3 of DORA focuses on the digital operational resilience testing of ICT (Information and Communication Technology) systems, tools, and processes within financial entities. This chapter mandates that financial entities within the EU or operating within the EU, including banks, investment firms, insurance companies, and other financial market infrastructures, rigorously test their ICT systems to identify vulnerabilities and mitigate potential risks.

Key sections of Chapter 3 include:

  1. Regular Testing Requirements: Businesses must carry out regular, comprehensive testing of their ICT systems. This includes vulnerability assessments, penetration testing, scenario-based testing, and more.
  2. Advanced Testing for Critical Functions: For critical functions and high-risk areas, more sophisticated testing techniques are required, such as threat-led penetration testing (TLPT). This involves simulating cyber-attacks to evaluate the resilience of ICT systems against sophisticated threats.
  3. Third-Party Testing: Businesses are encouraged to involve independent third-party testers to ensure objectivity and thoroughness in the testing process. These testers must have no conflicts of interest to maintain the integrity of the testing outcomes.
  4. Reporting and Remediation: After testing, businesses must document findings, report significant vulnerabilities, and outline remediation plans. This ensures transparency and facilitates continuous improvement in ICT resilience.

Practical Implications of Chapter 3

Implementing the requirements of Chapter 3 has profound practical implications for financial businesses. The emphasis on rigorous testing and continuous monitoring may well necessitate a strategic overhaul in how organisations approach their ICT infrastructure.

  1. Resource Allocation: Organisations must allocate adequate resources, including skilled personnel and financial investments, to conduct the required testing. This may involve hiring cyber security experts or engaging with third-party testing firms.
  2. Integration with Existing Frameworks: Businesses must integrate DORA’s testing requirements with existing risk management and cyber security frameworks. This means aligning DORA mandates with frameworks like ISO/IEC 27001 or NIST Cyber Security Framework to ensure comprehensive coverage.
  3. Enhanced Cyber Security Posture: Regular and advanced testing helps organisations uncover hidden vulnerabilities and strengthen their cyber security posture. By addressing these vulnerabilities proactively, financial entities can mitigate the risk of cyber incidents that could disrupt operations or compromise sensitive data.
  4. Regulatory Compliance: Adhering to DORA’s testing requirements is not merely a regulatory obligation but also a competitive advantage. Organisations that demonstrate robust digital operational resilience can build trust with stakeholders, including clients, regulators, and partners.

Ensuring Compliance with Chapter 3

To ensure compliance with Chapter 3 of DORA, financial entities must adopt a proactive and structured approach.

Martin Tully  – CRMG Delivery Lead Governance & Compliance Consultant highlights below his key tips to help businesses navigate this chapter effectively:

  1. Develop a Comprehensive Testing Strategy: Create a detailed testing strategy that outlines the scope, frequency, and methods of testing for different ICT components. This strategy should prioritise critical functions and high-risk areas.
  2. Engage Qualified Experts: Whether conducting internal testing or involving third-party testers, ensure that the individuals or firms engaged possess the necessary expertise and certifications in cyber security and digital resilience.
  3. Establish Continuous Monitoring and Improvement: A continuous monitoring mechanism will help to keep track of emerging threats and vulnerabilities. Regularly update testing procedures and remediation plans based on the latest threat intelligence and industry best practices.
  4. Maintain Documentation and Reporting: Thorough documentation of all testing activities, findings, and remediation efforts is crucial for regulatory reporting and demonstrates a commitment to transparency and continuous improvement.