March 14, 2023 | Maria Fritzsche
Estimated reading time: 7 minutes
Get ready for new digital resilience obligations
In 2021, the Basel Committee on Banking Supervision (BCBS) highlighted that additional work was required to improve banks’ capacity to withstand operational risk-related events like pandemics, cyber incidents, technology failures, and natural disasters, which could result in significant operational failures or widespread disruptions in financial markets.
The COVID-19 pandemic brought operational resilience into sharp focus, and since then, high-impact climate change events, geopolitical developments, and pressure on the energy market and infrastructure have kept operational resilience near the top.
The Digital Operational Resilience Act (DORA) follows the global trend in financial services regulation that started with the Bank of England’s (FCA and PRA) consultation papers on operational resilience and impact tolerances and continued by principle-based operational resilience papers from the Federal Reserve and the Bank of International Settlements (BIS).
US digital resilience
The safeguards concerning digital resilience continue to be an important topic of discussion between the US and the EU. At the US-EU Joint Regulatory Forum, operational resilience and digital finance were a matter of discussion.
The US regulators, the Federal Reserve Board (FRB), Office of the Comptroller of the Currency (OCC), and Federal Deposit Insurance Corporation (FDIC), identified and consolidate existing guidance that can be used to form an effective operational resilience framework. The consolidated guidance, Sound Practices to Strengthen Operational Resilience (Sound Practices), which outlines the sound practices large banks are expected to have in place to address risks to operational resilience.
The guidance applies to banks that have average total consolidated assets greater than or equal to:
- $250 billion, or
- $100 billion and have $75 billion or more in average cross-jurisdictional activity, average weighted short-term wholesale funding, average nonbank assets, or average off-balance sheet exposure.
The federal banking regulators are also focusing on issuing new regulations to assist banks in establishing and maintain the tools required to recognize and address changing cybersecurity risks.
Key focus points for banks
- Carefully consider the recommendations made in the sound practices guidance, and make sure that sufficient internal and external resources are available to implement them.
- Conduct a gap analysis and address any concerns head-on before an information security incident occurs.
- Review all agreements with third-party providers to ensure privacy and data security risks are covered.
Additionally, the Computer-Security Incident Notification Rule requires that banks and their key service providers make sure that their incident response plans contain a mechanism to identify and immediately notify regulators.
The UK’s operational resilience and third-party service providers
The Bank of England (BoE) recently published a number of supervisory statements to expand on the changes introduced in 2021 with the Operational Resilience of Financial Market Infrastructure (FMI). This forms part of the review of FMI which aims to ensure greater resilience when adopting the cloud and other new technologies as set out in the BoE’s response to the 2019 Future of Finance (FoF) report.
Each statement addresses a different type of FMI. The overall aim is to reduce the “non-cyber” risks connected to the use of technology, such as concentration risk, service deterioration, and supplier failure. Essentially, the initiative intends to increase operational and digital resilience across the financial industry, and it has introduced a number of measures that affected organizations must adhere to by 9 February 2024.
The objective of the supervisory statements is to make sure that businesses have reliable frameworks in place for managing their interactions with third-party service providers. It will have a significant impact on the entire industry as FMIs are urged to review their portfolio of third-party software. Businesses must determine which services are essential to their operations and test software for potential risks using risk assessment tools or through an independent specialist.
The statements acknowledge the crucial role that third-party service providers play in the financial system by offering essential services like clearing, settlement, and payment processing. A failure in any one component would have a significant impact on the entire ecosystem due to the complexity of these services and the degree of interconnectivity in the financial system. The BoE’s recommendations for businesses in the financial sector emphasize the importance of giving business resilience top priority and making sure that businesses and service providers have plans in place for handling third-party relationships.
According to the supervisory statements, businesses must keep a current list of their outsourcing relationships, separating those that pose a high risk from those that do not. Business-critical areas of the organization must be safeguarded.
To further enhance the stability of the financial system, a new statutory framework has been proposed in the Financial Services and Markets Bill (FSMB) to manage systemic risks posed by “critical third parties” (CTPs). The proposals give the supervisory authorities powers to assess and strengthen the resilience of material services, including cloud computing and data analytics, provided by CTPs to the financial sector under outsourcing arrangements. The Bill is currently in the House of Lords at Committee Stage and is expected to receive royal assent before summer 2023.
The EU’s plans for digital resilience
The European Union (EU) is taking a firm stand on information and communication technologies (ICT) incidents in the financial sector. With strict requirements for both financial entities and vital ICT service providers, businesses must begin planning immediately.
DORA entered into force on 17 January 2023. This is not a Directive but a Regulation, therefore, it is binding in its entirety and directly applicable to all EU Member States. However, it does include an implementation period of 24 months, which means the relevant organizations will need to have the required systems and controls implemented by 17 January 2025.
DORA requires firms to address all components of operational resilience. Firms are required to follow rules for the protection, detection, containment, recovery and repair capabilities against ICT-related incidents. DORA explicitly refers to ICT risk and sets rules on ICT risk management, incident reporting, operational resilience testing and ICT third-party risk monitoring. DORA seeks to improve the operational resilience of financial institutions, much like the UK regime. In its proposal, the European Commission highlighted the ongoing difficulties that ICT risks pose for the performance, stability, and operational resilience of the EU financial system, noting that post-crisis reforms had not fully addressed digital operational resilience.
The volume of obligations associated with the DORA will be challenging for firms to manage. The following is a non-exhaustive list of some of the actions required by financial services to comply with DORA:
- Conduct a gap analysis of the internal systems used to determine the need for action
- Set out an IT strategy including personnel, budget, setup and structure, etc., account of any dependencies on third-party IT providers, identification of critical ICT functions and components
- Identify processes to test digital resilience
- Regularly test the firm’s digital resilience
- Implementation of protection and prevention measures as well as recovery plans in case of losses – business continuity planning (BCP).
The requirements for digital resilience are likely to expand further as the EU has published the first draft of the Cyber Resilience Act (CRA). The scope of this proposed legislation is wider than that of DORA and provides comprehensive obligations for manufacturers, dealers and importers of products with digital elements.
In focus: Germany’s outsourcing notification requirements
The German Federal Financial Supervisory Authority (BaFin) has issued detailed guidance on the new notification requirements regarding proposed outsourcings. The requirements were introduced with the Act on Strengthening the Financial Market Integrity (Finanzmarktintegritätsstärkungsgesetz – FISG), which was passed after the Wirecard scandal shocked the German market.
The rules do not only apply to financial services but also to outsourcing providers. Providers with German-regulated customers are affected by the rules.
Top five FISG changes:
- Financial services regulated by the German Banking Act (Kreditwesengesetz – KWG) are obliged to notify BaFin and the German Federal Bank (Deutsche Bundesbank) of their intent to outsource material activities, the implementation, important changes and serious cases.
- Payment institutions, e-money institutions and asset management companies are now obliged to provide notification similar to that described above
- Asset management companies will need to notify not only material outsourcing but all outsourcings and any material changes (excluding severe incidents).
- It introduced statutory powers for the BaFin to take measures directly against outsourcing companies and information obligations of the outsourcing companies, irrespective of their geographical location.
- Introduced the obligation on outsourcing companies from non-EU jurisdictions to appoint a service of process agent in Germany.
The notices provided by BaFin set out particularly comprehensive requirements involving the information that has to be provided to the above requirements, concerning the outsourcing notification, an amendment notification or the notification of a serious incident.
Operational resilience regulations are picking up all over the globe and we can expect these regulations to be further developed and refined. In order to set up adequate compliance systems in a timely manner, it is important to stay on top of regulatory changes and focus on those applicable to your organization. CUBE’s extensive regulatory coverage of over 5,000 issuing bodies in 180 jurisdictions and its AI functionality can help filter out the noise and focus on the relevant obligations applicable to your firm.
CUBE has the ability to keep companies up to date on the latest operational resilience obligations. Using AI to automatically map relevant regulations to company procedures increases efficiency and reduces risk.
Contact CUBE to keep ahead of operational resilience.