Regulating the boundless: Perspectives on Dora
When Covid-19 came knocking businesses were forced to accelerate their long plans for digitalisation into a matter of days
This made the cloud a rather ideal fix for companies looking to turn remote quickly and easily. But this meant that there was also less time to truly understand the risks it may bring and allow for proper regulation to take place.
At face value, cloud technology has strong benefits.
Firstly, it is a low-cost solution. It reduces money spent on on-premises storage and maintenance and the burden of trial and error with different equipment to find what is right for your company. This is especially beneficial for small to medium companies who are low on space and resources.
Secondly, it reduced the burden on security as cloud providers have the bandwidth and scale to invest in effective digital security lowering the risk of cyber crime through the implementation of tried and tested best practices. These resources also guarantee operational resilience as the option of having data centres in multiple countries mitigates the risk of disruption in a single region.
But nothing can be so airtight…
Even before mass cloud adoption smaller organisation often had to outsource their ICT services and although this reduces the costs of having in-house storage, maintenance and manpower it still obliges them to oversee the services being done to ensure that they are not being exposed to undue risk. This might not mean more money, but it does mean more time.
It also poses a novel risk due to its multi-tenancy concept, which can raise awkward questions about security and access when your company’s information might be visible to the cloud providers and can be accessed through them. While this may seem farfetched the issue was made abundantly clear just last year when the authentication company Okta, which was a service provider for multiple companies, was hacked leading to client data being leaked, viewed, and acted upon.
The Digital Operational Resilience Act (Dora) is the EU’s attempt to regulate these opportunities, proposing an oversight framework for information and communications technology risks and thirdparty service providers within the financial services sector.
The principle of proportionality, which governs other outsourcing frameworks is key to understanding Dora’s impact on smallerto medium-sized financial organisation.
Historically, regulation has made clear that technology can be outsourced, but responsibility cannot, and each institution, especially those in finance, must control and monitor the risks that arise from a relationship with a third-party service provider.
Dora reduces the burden by introducing the initiative that critical third-party service providers are audited by public authorities through a central “Oversight Forum”. This should improve the resilience of third-party cloud providers and provide more legal certainty through centrally supervised audits.
Incident reporting will also be further streamlined through Dora, reducing financial institutions’ administrative load through efficient, central supervision.
Dora establishes a robust supervisory framework that subjects each critical thirdparty service provider to direct oversight by the European Supervisory Authority (Esa). The Esa is required to appoint a Lead Overseer for each critical third-party service provider, to assess the third party’s mechanisms for managing the ICT risks that it could pose to financial institutions. This assessment will be done annually with the Lead Overseer having powers to request information and documents, including sensitive data, which could support investigations and inspections. Following this, the Lead Overseer is required to communicate recommendations to the third party.
Once the Lead Overseer completes an inspection, the third party is required to provide written notification of whether it intends to follow the Lead Overseer’s recommendations. The Lead Overseer then shares the outcome with national financial regulators, who are tasked with monitoring that financial institutions have considered the risks identified in the recommendations. In cases where significant deficiencies are identified, the national financial regulator may suspend the financial entity from making use of the third party’s services, until such time when the deficiencies are remedied.
The prospect of Dora alleviates the burden on financial institutions, distributing accountability and responsibility across financial institutions and third-party service providers. This stands to greatly benefit smallerto medium-sized financial institutions on their digital transformation journeys, by freeing space for strategic development and reducing compliance burdens.