Blogs

DORA: A methodical approach to Compliance

Written by Vikas Gupta | Oct 11, 2024 10:05:35 AM

The Digital Operational Resilience Act (DORA) is a critical regulation aimed at enhancing the operational resilience of the financial sector against cyber-attacks and ICT-related incidents. With the increasing reliance on technology, financial institutions face significant risks that can disrupt services and impact economies globally. DORA, enforced by the EU starting in 2023 with full compliance required by 2025, mandates comprehensive ICT risk management, incident reporting, resilience testing, and third-party risk management. This blog provides a structured approach to achieving DORA compliance, offering financial institutions practical guidance to navigate these requirements and strengthen their operational resilience.

Significance of DORA

The financial sector’s increasing dependence on technology and tech companies’ delivery of financial services is making it vulnerable to cyber-attacks or incidents. When not managed properly, Information and Communication Technology (ICT) risks can lead to disruptions of financial services across borders, leading to widespread economic impact. In the fast-evolving digital financial world, the importance of operational resiliency of the financial sector is a growing concern for global regulators.

Introduced in 2020, adopted by EU in 2022 and enforced starting 2023 DORA is a fast-moving regulation requiring implementation in 2025 with upcoming milestones for incident reporting and European Commission reviews.

Implications for Financial Institutions

DORA casts a wide net across all financial market participants, applying to a diverse range of entities including banks, credit and payment institutions, securities and trading firms, investment managers, insurance companies, rating agencies and all critical ICT third-party service providers.

1. ICT Risk Management & Governance

To address and manage ICT risk, Financial Entities (FEs) must set up and maintain ICT systems, tools & protocols that are appropriate to magnitude of operations in accordance with the proportionality principle.

2. Incident Reporting

Financial Entities (FEs) must establish appropriate procedures and processes to ensure a consistent and integrated monitoring, handling, and follow-up of ICT-related incidents & significant cyber threats to ensure that root causes are identified, documented, and addressed to prevent the occurrence of such incidents.

3. Digital Operational Resilience Testing

Financial Entities (FEs) must perform network security assessments, vulnerability Assessments, & Threat-Led Penetration Testing. The frequency & scope must be commensurate with entity’s Size & complexity.

4. ICT Third Party Risk Management

Financial Entities (FEs) must maintain and update at entity level, and at sub-consolidated and consolidated levels all contractual arrangements with clear articulation of rights and obligations of the financial entity and of the ICT third-party service provider for all ICT services within their remit.

5. Information Sharing

Financial Entities (FEs) may exchange amongst themselves cyber threat information and intelligence, including indicators of compromise, tactics, techniques, and procedures, cyber security alerts and configuration tools within trusted communities of FEs and public authorities.

7 steps to DORA Compliance

The pervasive nature of this act combined with the complexities of IT environments of financial institutions requires a structured, proactive, and methodical approach by financial companies to achieve compliance efficiently and with the least impact to business. We recommend a seven-step approach to enhance IT environment and work towards compliance:

  1. Develop clear understanding of DORA compliance requirements and how they apply to their business processes and IT environment.
  2. Gap Assessment of current state vs the desired state of risk framework, policies, processes, systems and controls and development of mitigation plan.
  3. Comprehensive implementation plan to address the gaps and strengthen ICT risk framework, incident response, resilience testing and third-party risk management.
  4. Technology integration to ensure most effective and efficient solutions through the usage of fit-for-purpose GRC tools and operations management platforms.
  5. Comprehensive resiliency testing strategy including vulnerability assessment, penetration testing, scenario testing and third-party resiliency.
  6. Continuous monitoring of regulatory changes, disciplined resiliency testing and improvements to ICT risk framework based on industry best practices.
  7. Establish a culture of digital resilience in the organization through learning & development and HR practices.

Coforge DORA Compliance Framework

Coforge has created a customizable three-pillar framework for our clients to approach each component of compliance obligations systematically, make incremental progress and demonstrate progress towards compliance.

The first pillar is about assessing the current state against the DORA requirements and produce the exhaustive mitigation plan for the gaps identified through a comprehensive review of ICT risk policies, framework, processes, systems, and controls.

The second pillar is the execution phase where we support our clients to achieve the desired state through implementation of controls, systems, data management, testing and governance. We leverage our strong technology expertise to provide AI based strategies for implementing a cost-effective, efficient, and sustainable technology solution.

The final assurance pillar provides for a post-facto evaluation of the ICT ecosystem to ensure that gaps have been mitigated and the compliance to five DORA principles can be achieved.

We will partner with our clients to develop their customized compliance strategy and implementation plan, support platform implementation through our IT expertise and extensive partner network, provide assurance through our comprehensive testing services and help create the organization ecosystem for a strong resilience culture and governance.

The Way Forward

At Coforge, we understand the complexities of DORA compliance and offer a comprehensive approach to guide our clients through every stage of their compliance journey. Our several years of operational risk management experience combined with our innovative technology offerings enable us to provide end-to-end DORA compliance solutions to our clients including regulatory advisory, risk assessment, program management, technology implementation, control testing and compliance assurance.

We look forward to engaging with banks and financial institutions and provide them an overview of our DORA compliance framework, help them map the compliance obligations relevant to their organization and create a full customized solution for achieving compliance to this cornerstone regulation.