Check out Responsible Cyber website : Cybersecurity and Risk Management.
The Digital Operational Resilience Act (DORA) is a regulatory framework established by the European Union to enhance the digital operational resilience of financial entities. Effective from January 2025, DORA mandates that financial institutions implement robust measures to manage Information and Communication Technology (ICT) risks, with a significant emphasis on Third-Party Risk Management (TPRM).
Understanding DORA’s TPRM Requirements
DORA’s TPRM provisions are designed to ensure that financial entities maintain operational continuity and security, even when relying on external ICT service providers. Key requirements include:
- Identification and Assessment of Third-Party Providers: Financial institutions must identify all third-party ICT service providers and assess their criticality based on the impact on the institution’s operations and the level of risk they pose. Deloitte
- Due Diligence and Contractual Obligations: Prior to engaging with third-party providers, institutions are required to conduct thorough due diligence to ensure these providers have appropriate risk management practices. Contracts must clearly outline service expectations, security requirements, and compliance obligations. UpGuard
- Ongoing Monitoring and Oversight: Continuous monitoring of third-party providers is essential to ensure adherence to contractual terms and to manage emerging risks effectively. Deloitte
- Incident Management and Reporting: Institutions must have processes in place to manage and report incidents related to their third-party service providers, including notifying clients and counterparties of significant cyber threats. Deloitte
- Exit Strategies and Contingency Planning: Developing exit strategies and contingency plans is crucial to address potential disruptions caused by third-party service provider incidents. This includes ensuring that contractual arrangements allow for the quick termination of services if necessary. UpGuard
Examples of Compliance and Non-Compliance
Compliance Example:
A financial institution identifies a cloud service provider as critical to its operations. Before engagement, the institution conducts comprehensive due diligence, assessing the provider’s security measures, financial stability, and compliance with relevant regulations. A detailed contract is established, specifying service levels, security requirements, and audit rights. The institution continuously monitors the provider’s performance and conducts regular audits. Additionally, an exit strategy is in place, allowing for a smooth transition to an alternative provider if needed.
Non-Compliance Example:
A financial institution engages with a third-party software vendor without conducting adequate due diligence. The contract lacks specific clauses on security requirements and incident reporting. The institution does not monitor the vendor’s performance or assess its compliance with regulatory standards. When a security breach occurs at the vendor’s end, the institution is unprepared, leading to significant operational disruptions and regulatory penalties.
Implementing Effective TPRM Under DORA
To comply with DORA’s TPRM requirements, financial institutions should:
- Develop a Comprehensive TPRM Framework: Establish policies and procedures for identifying, assessing, and managing risks associated with third-party ICT service providers. UpGuard
- Conduct Regular Risk Assessments: Perform ongoing evaluations of third-party providers to identify potential risks and implement appropriate mitigation strategies. Deloitte
- Enhance Contractual Agreements: Ensure contracts with third-party providers include clear terms on service levels, security requirements, audit rights, and termination conditions. PwC
- Implement Continuous Monitoring: Utilize tools and processes to monitor third-party providers’ performance and compliance with contractual obligations. UpGuard
- Develop Exit Strategies and Contingency Plans: Prepare for potential disruptions by establishing plans for transitioning services if a third-party provider fails to meet obligations. UpGuard
By adhering to these practices, financial institutions can align with DORA’s TPRM requirements, thereby enhancing their operational resilience and safeguarding against ICT-related risks.