Strengthening Financial IT Resilience: Navigating DORA Compliance with Thrive (Part 1)

Overview:

The Digital Operational Resilience Act (DORA) was enacted on January 16, 2023, and will be enforced starting January 17, 2025.

DORA aims to ensure the IT resilience and security of any financial entity (FE) in Europe and their ICT providers, including banks, crypto, insurance, and investment firms, even during severe operational impacts like denial of service (DDoS) cyber-attacks and ransomware. Thrive can assist in the key areas that support compliance with DORA.

Third-Party Risk Management:

For DORA, this is the most significant and underestimated work for firms with the usual resilience. DORA mandates the analysis, contractual documentation, and management of third-party risks. Thrive enhances security by ensuring essential third-party providers are evaluated, documented, approved, monitored, and managed.

Oversight of Critical Third-Party Providers:

DORA requires an oversight framework for critical third-party providers. Thrive enhances transparency and accountability within this ecosystem, ensuring essential services remain accessible under challenging circumstances.

Incident Response and Reporting:

Thrive facilitates comprehensive incident response processes, enabling IT teams to troubleshoot devices promptly, diagnose issues, mitigate and remediate systems, apply patches, and recover systems. This also helps to ensure timely reporting and resolution of operational disruptions.

Testing and Resilience Assessment:

Thrive supports complete digital operational resilience testing or disaster recovery and business continuity in existing terms. Testing these plans helps institutions evaluate the effectiveness of alternative processes and seamlessly switch to secondary methods during disruptions.

Audit Trails and Logs:

Thrive generates detailed audit trails and logs of user activities, assisting organisations in demonstrating compliance with DORA’s requirements. This will also facilitate information sharing around threats seen or experienced, particularly zero-day attacks.

Responsibility and Accountability (i.e. Governance):

DORA establishes clear responsibility for operational resilience at the highest levels of a firm, including the Board and senior executives (CxOs). They play a crucial role in implementing DORA’s essential components.

Critical Plans (i.e. Risk Management Framework):

Board members and senior executives will need to approve critical plans related to operational resilience. These plans include the firm’s digital operational resilience strategy and its policy regarding ICT Third Parties (TPs). DORA is acknowledged as best suited to ISO 27001 – more on this in part 3 of this blog series.

Daily Operations:

Senior leaders are also responsible for making decisions integrating DORA’s requirements into the firm’s day-to-day operations. This involves setting risk tolerance levels and prioritising actions to address identified operational vulnerabilities.

In simpler terms, DORA ensures that financial institutions and technology partners are well-prepared to effectively handle disruptions and cyber risks. It’s all about making sure our FEs stay strong and resilient!

Part 2 of this blog series will examine the EU’s process to get to where we are from the initial 2023 effective date. The EU set up numerous European consultations with FEs and conducted dry runs with well-known participants, particularly on the third-party risk management process and expectations. Feedback is contained in many fascinating spreadsheet entries. Many lessons have been learnt and challenges raised, where the EU believes that requirements are reasonable, but the industry may have alternative views.

Responses to public consultations on DORA 1st batch.xlsx (live.com)

In conclusion, Thrive is crucial in bolstering our client’s operational resilience through our own operationally resilient platform and business, reducing dependency on single systems, teams, or procedures, and enhancing risk management in the financial sector in alignment with DORA’s objectives.

Graphic Source: https://kpmg.com/lu/en/blogs/home/posts/2023/04/dora-regulation-all-your-questions-answered.html