DORA – Can we go back to sleep now?

The Digital Operational Resilience Act (DORA) has not gone away. It’s here to stay.

For some months now the Register of Information, which is a sub-element of “Managing ICT Third-party risk” (one of the five pillars), was the focus of attention. Getting a successful submission was the goal. The deadline has passed, and most have successfully completed this task.

It wasn’t all plain sailing. The lack of a test environment where submissions could be trialled meant that most financial entities had to re-submit multiple times. The error messages were not always helpful. “Object reference not set to an instance of an object” is very much “developer-speak”. Whereas “an uppercase ‘C’ was found where a lowercase ‘c’ was expected” is understandable, by regular humans.  When the submission finally got to the EBA, many received “wrongly flagged errors”. The EBA held up their hands and fixed it quickly, but this was just another indication of the less-than-perfect submission process.

After a brief rest, we need to get back to the main story: DORA. Remember the five pillars: ICT Risk Management, Management of ICT third-party risk, ICT-related incident management, digital operational resilience testing and information-sharing arrangements. Let’s briefly look at what each of these entails.

ICT Risk Management:

Information and Communications, if compromised or unavailable, would disrupt most businesses, so this is a key focus area in achieving the goal of resilience. Governance underpins the 5 key aspects of managing the risks here. They are: Identify (the assets, the information, locations), Protect ( the systems and information), Detect (know when they are being threatened), Respond (in a fast and effective way to a disruptive incident) and Recover fully and completely when you experience a disruption.

Managing ICT Third-Party Risk:

The pure-ICT risks associated with third parties will be managed under the ICT Risk Management framework, but there is more to this pillar. The Register of Information is a key “output” that clearly identifies those third parties that you depend on to deliver critical or important functions / services. Then there is the core need to manage all your third parties comprehensively. This starts with good contractual arrangements, initial and ongoing due diligence, auditing by people who have the technical skills and planning for the day when you wish to or are forced to terminate the contract.

ICT Related Incident Management:

We learn from incidents. But this learning will be short lived and easily forgotten if we do not record them. Ask yourself: How often would you have predicted a big incident (and taken action sooner) if you had been recording all the “small incidents”, the pre-cursors? This is intelligence that we must act on. And if you have good practice managing small incidents you will be better prepared for the “major ICT-related incident”, the ones the regulator insists you report to them in detail. Be prepared, be very prepared!

Digital Operational Resilience Testing:

Like with incidents, we learn from testing. But testing also gives us and all Stakeholders assurance that when there is a disruptive incident, the organisation will recover quickly and effectively. Testing will also confirm that defences are strong and disruptions will be kept to a minimum. What DORA mandates and what by any measure is reasonable, is that systems are tested by a range of different methodologies to get assurance that they are well protected from external attacks, that authorised access is restricted on a “needs” basis and  that the systems are well maintained. When drawing up your testing programme, include your third parties, they are an extension of your organisation, their systems an extension of your infrastructure. Do all of this for yourself and not just because the competent authority will ask you for the evidence.

Information-Sharing Arrangements:

There are many sources of information and most of us are recipients of too much information. But you will identify actionable intelligence, and you will be able to prevent some disruptive events. The competent authorities make a strong case for sharing that intelligence information with peers. If you can share in a trusted environment with peers, then you will get more than you give. Find a way.

Over the coming months the competent authorities will be checking and expecting financial entities to be compliant with all of the DORA requirements. Yes, DORA is here to stay and the objectives of DORA are realistic and achievable and good for all of us. The Act is a distillation of several regulations, guides and standards and streamlines good practice into one document. So, stay with it and continue to improve your processes and you will achieve resilience.

Gerard Joyce, CTO, CalQRisk