Post by account_disabled on Mar 4, 2024 8:09:14 GMT
The European regulation known as DORA (Digital Operational Resilience Act) came into force at the beginning of 2023 and all Member States must apply it from January 17, 2025. By this date, financial participants, in the broadest sense, They will have to comply with new obligations organized into five pillars, designed to promote their digital resilience and that of the financial system as a whole. Given the proximity of this imminent deadline, quick action must be taken today. Shortcuts In 2008, a financial crisis of unprecedented magnitude shook the world, surpassing the severity of previous major crises, such as the well-known Black Thursday of 1929. The global financial system, interwoven by intricate connections and dominated by influential actors in multiple markets, succumbed. to the domino effect where the collapse of one institution quickly triggered the fall of others. Today, the digitally hyperconnected world of financial institutions poses an even greater threat: if a key player's information system fails, the systems collapse could be almost instantaneous and of unprecedented magnitude. In this context, the Digital Operational Resilience Act (DORA) aims to guarantee the resilience of financial institutions and their associated third parties in a sector that is 100% digital and subject to constant cyberattacks.
To comply with these obligations established by DORA, financial institutions and their third parties must implement and document a series of measures around their information and communication technologies (ICT) that can be categorized into four main themes. By Janu companies must ensure that the necessary preparations have been made to meet their obligations under these guidelines. Establish an ICT risk management system (Pillar 1) The first pillar of DORA is the most important: it serves as the foundation from which all other elements are derived. It is also one of the most complex, since it Industry Email List requires a comprehensive approach that is based on detailed knowledge of the company, its operations and processes (especially the most important ones) and, above all, its technological architecture (systems and applications that support to processes). Once this risk management system is in place, DORA imposes a control obligation that can be carried out continuously or at predefined frequencies. These highly detailed controls cover business and procedural aspects, as well as the technology layer, down to the smallest application involved in a critical process.Although most financial institutions already have these types of controls in place, it should be noted that DORA-specific IT controls will be necessary to ensure full compliance with this new regulation.
More broadly, there will be a greater need to bring closer collaboration between risk and control teams and IT. 2 - Identify and control third parties (Pillar 5) Recognizing the increasing complexity of financial information systems and their multiple entities, applications and infrastructures, the European regulator has increased the scope of precautionary obligations to third-party services integrated into these architectures. This covers not only business partners who are inherently subject to DORA, but also all technology partners. Application publishers, cloud providers and other managed service providers (MSPs) will also be affected by the new European regulation. Specifically, in relation to service level agreement (SLA) terms and the security they provide. In addition, it will be crucial to establish contingency plans to replace third parties in the event of a system failure or security problems. Concentrating services within a single third party can be a risk in itself: what happens if the main (or even the only) cloud provider is attacked? For this reason, it may be worthwhile for financial institutions to develop a multi-vendor strategy to limit the risks (and damage) in the event of an attack or failure of a key third party. 3 - Periodically check your continuity capabilities (Pillar 3) Risk awareness in the financial sector is nothing new.
To comply with these obligations established by DORA, financial institutions and their third parties must implement and document a series of measures around their information and communication technologies (ICT) that can be categorized into four main themes. By Janu companies must ensure that the necessary preparations have been made to meet their obligations under these guidelines. Establish an ICT risk management system (Pillar 1) The first pillar of DORA is the most important: it serves as the foundation from which all other elements are derived. It is also one of the most complex, since it Industry Email List requires a comprehensive approach that is based on detailed knowledge of the company, its operations and processes (especially the most important ones) and, above all, its technological architecture (systems and applications that support to processes). Once this risk management system is in place, DORA imposes a control obligation that can be carried out continuously or at predefined frequencies. These highly detailed controls cover business and procedural aspects, as well as the technology layer, down to the smallest application involved in a critical process.Although most financial institutions already have these types of controls in place, it should be noted that DORA-specific IT controls will be necessary to ensure full compliance with this new regulation.
More broadly, there will be a greater need to bring closer collaboration between risk and control teams and IT. 2 - Identify and control third parties (Pillar 5) Recognizing the increasing complexity of financial information systems and their multiple entities, applications and infrastructures, the European regulator has increased the scope of precautionary obligations to third-party services integrated into these architectures. This covers not only business partners who are inherently subject to DORA, but also all technology partners. Application publishers, cloud providers and other managed service providers (MSPs) will also be affected by the new European regulation. Specifically, in relation to service level agreement (SLA) terms and the security they provide. In addition, it will be crucial to establish contingency plans to replace third parties in the event of a system failure or security problems. Concentrating services within a single third party can be a risk in itself: what happens if the main (or even the only) cloud provider is attacked? For this reason, it may be worthwhile for financial institutions to develop a multi-vendor strategy to limit the risks (and damage) in the event of an attack or failure of a key third party. 3 - Periodically check your continuity capabilities (Pillar 3) Risk awareness in the financial sector is nothing new.