You have until January 17th, 2025, to finish your DORA implementation process. In this short guide, we give you a high-level overview of the most likely DORA implementation challenges you will face - and how to get ahead of them.
1 - Understand Your DORA Implementation Resource Requirements
Not only does DORA impact a vast number of financial services businesses, including some of the world's biggest banks and the continent's smallest fintechs, but its five pillars also touch on almost every aspect of your company's operations.
This broadness means that everything from core financial services infrastructure and the transaction systems for inter-banking to online banking and customer portals will need to be assessed against DORA's requirements and brought into line.
There is no single technological solution or set of processes that will help you become compliant with DORA.
Like any other regulation, the act's relative broadness means that the core resource you need for DORA implementation is people. You need a pool of human hours available to implement the security controls, contractual changes, and reporting procedures that DORA will require from you.
Your exact DORA implementation human resource costs will depend on how much change is needed following your gap analysis. From there, you can determine how many human hours of work will be required to address any gaps/shortcomings you have and figure out whether you can fill this requirement with your existing security/IT teams or if you'll require additional resources.
If you're already complying with regulations like the EBA Guidelines on outsourcing arrangements and the Bank of England's SS2/21 Outsourcing and third-party risk management, your resource requirements will likely be lower.
Our DORA implementation resource recommendations:
- Perform a thorough gap analysis.
- Based on your gaps, allocate a pool of hours for addressing them and a responsible team.
2 - Focus On Initial Reporting Capability
For smaller financial services companies, reporting major cyber incidents in a very short space of time will likely be a big operational shift.
DORA has three levels of major incident reporting requirements:
- An initial report must be made within 4 hours from when the incident is classified as a major one but not later than 24 hours after the incident is detected.
- An intermediate report with more detailed information about the incident (for example, the incident’s impact, classification criteria triggered, etc.) must be made within 72 hours after the incident is classified as major (or sooner when regular activities are recovered and business returns to normal).
- A final report, including additional details about the incident (for example, root cause analysis and actions taken), must be made no more than one month after the incident is classified as major.
The initial report will need to include information like the description of the incident, member states and other financial entities or third parties impacted or potentially impacted by the incident, the origin of the incident (if available), the number of clients impacted, data losses, how critical the services impacted are, and whether the incident is recurring.
Knowing all this and communicating it to a competent authority within 24 hours will likely be a tall order for many organisations. It will mean being able to tie together data around cyber incidents such as cloud data breaches about what kind of data and systems were impacted and how the attack chain happened.
A key challenge here is understanding at a granular level what data/systems create risk in what context. For example, a cloud database of client names will present risk at a different level if it is exposed alongside their date of birth and tax identification numbers.
Building the capability to understand and report on risks quickly might mean moving beyond siloed security controls towards security tool consolidation.
Our DORA implementation reporting recommendations:
- Focus on connected risk management processes and tools.
- Consider consolidating security tools.
3 - Think About Third Party Continuity
What would happen to your clients’ data and your business services if your number one provider stopped functioning for whatever reason?
Being compliant with DORA's third-party risk aspects has several parts. One that a lot of organisations will likely struggle with is the need to ensure the continuity of critical services.
The DORA regulation states that "Financial entities shall put in place exit strategies to take into account risks that may emerge at the level of ICT third-party service provider, in particular a possible failure of the latter, a deterioration of the quality of the functions provided, any business disruption due to inappropriate or failed provision of services or material risk arising in relation to the appropriate and continuous deployment of the function."
What DORA tries to do here is ensure that the security of data that a third-party provider is holding will not be compromised. Even if you need to break a deal with a provider urgently, you need to be able to get all your data.
In all contracts with third parties, you will need a clause that allows you to break the deal without impacting client data.
For every critical ICT service you contract, you will need a backup infrastructure/way to continue business and agreements with secondary providers to enable you to cut a third party off.
This means that although you might be reliant on large cloud service providers, under DORA, you will also need to have a secondary backup plan for cloud infrastructure in place. You will need to either have provisions in place with third parties who provide the same services or a justification to make an exception.
You will also need to make sure, through your contracts, that your critical service providers follow a business continuity plan. For example, if a data centre goes out, you will need a redundant centre.
Our DORA implementation third-party guidelines:
- Work break clauses into your contracts.
- Find backup services.
Getting Help With DORA Implementation
If you need help planning your DORA implementation process, SECFORCE offers an end-to-end DORA consultancy service.
We can guide you through DORA’s five pillars, conduct a thorough gap analysis and walk you through the best-fit solutions for your firm.