Making Sense of DORA - Opportunity for Differentiation

Friday, 26 April 2024

Making Sense of DORA - Opportunity for Differentiation

The EU’s Digital Operational Resilience Act (“DORA”) deadline is fast approaching and affects many of us in the Irish funds industry, including delegated third party providers. Marcos Zubrzycki (PwC) interviews PwC Ireland’s Moira Cronin and Neil Redmond to explore the key aspects of the new legislation as it impacts the funds industry.

DORA comes into force in January 2025 and while it is a huge compliance endeavor, it brings big opportunities to catapult firms to new levels of risk resilience and differentiation. Boards are ultimately responsible for DORA compliance and need to get up to speed. PwC Ireland’s Moira Cronin, Digital Risk Assurance Partner, and Neil Redmond, Cybersecurity and Privacy Competency Lead, explore the key aspects of the new legislation as it impacts the funds industry.

Moira, tell me what is DORA and why now?

The whole purpose of DORA is to ensure convergence and harmonization of security and resilience practices across the EU but it requires a step-up. That step-up includes, amongst other aspects, the information and communications technology (ICT) third parties that support the funds industry.  Basically, the same rigor needs to be applied to ICT third parties as is the case internally within the organization. DORA brings the rules of ICT risk together into one single piece of legislation.

As to why now, requirements on firms to address ICT risks are fragmented and inconsistent between different countries.  It is very important to manage the ICT and cyber risks, particularly as third parties now are a huge part of our industry and there has been such an increase in the threat landscape.

Neil, what are the key elements of DORA?

DORA is structured around a number of fundamental pillars: governance and ICT risk management, ICT related incident reporting, digital operational resilience testing, third party risk management, and information sharing.

Moira, who does DORA apply to and who is enforcing it?

DORA applies to firms regulated in the EU market and their third party providers which may operate within or outside the EU. Where they are supporting the funds industry in the EU market from outside of the EU, they are in scope.

In Ireland, DORA will be enforced by the National Competent Authority responsible for registration and supervision, which will be the Central Bank of Ireland for most of our clients in the funds industry.

Neil, is there a chance that the deadline will be extended beyond 17 January, 2025?

The short answer is unfortunately, No, so organizations in the funds industry really need to start planning now, if not already.

Moira, so who has to comply with DORA?

DORA applies to the FS sector in its widest form including third parties supporting important functions to a regulated entity which clearly includes the funds industry. Some examples include investment firms, crypto-asset service providers, central securities depositories, central counterparties, trading venues, trade repositories, managers of alternative investment funds, management companies, data reporting service providers, administrators of critical benchmarks, and securitisation repositories. While there is a long list of organizations listed as in scope in the Act itself, some organizations may, in fact, be a delegated third party to another FS organisation and therefore come into scope.

Neil, what exactly does DORA mean for third party ICT providers?

Where an ICT provider is supporting an organization in the funds industry, it will need to collaborate with the entity to ensure they can meet the contractual provisions laid down by DORA. The Act also covers the concept of Critical third party providers, organizations which have a high concentration across the FS sector at a European level. These organizations, for example, include certain cloud providers, which will be subject to regulatory oversight by the European Supervisory Authorities.

Moira, what if the ICT service providers have a Service Organisation Controls 2 (SOC2) report? Is that enough?

The short answer is that these certifications and frameworks will complement your DORA journey but will not get you to complete compliance. The expectation is that we will still have a SOC2 (this report is to ensure that third-party service providers store and process client data in a secure manner) which adds on the additional DORA requirements and an ISAE3000 report specifically to meet the requirements of DORA.

Neil, given that Boards are ultimately responsible for compliance with DORA, what is the one question management companies and even fund Board directors should ask at their next Board meeting?

The most important question they should ask is has a DORA programme been set up followed by who is responsible that full compliance will be met by this coming January.  Other questions the Board should ask include:

  • Does DORA apply to our entity?

  • Have we identified our Critical or Important functions in relation to DORA and have we performed a mapping to include our third/fourth parties and beyond?

  • Have we performed a gap assessment against the DORA legislation to determine how well prepared we are for DORA?

  • Do we have a training and awareness session arranged for the Board/ Management Body and/or the employees?

  • What timelines are we working towards?

  • How do you manage third parties and critical ICT third parties?

Moira, where do you start, and is DORA a one-time project?

We recommend starting with a 4-step approach.  Firstly, set up a governance structure to support your DORA programme with all stakeholders; Secondly, identify your “Critical or Important functions” and map the IT systems and infrastructure supporting these functions end to end (including third parties). Thirdly, perform a gap analysis against the DORA legislation and finally, develop a roadmap to achieve compliance outlining how each gap will be addressed using a risk-based approach to determine the sequence of implementation.

And No, DORA is not a one-time project. As noted, managing ICT/Cyber risk and building digital resilience is a key topic now for all firms and the ongoing management and monitoring of DORA will continue. In fact, the rigor it demands will require more assurance over these risks as we move forward.

Moira, How is DORA different from the Cross Industry Guidance on Operational Resilience (Op Res) - is it just the IT side of this?

Op Res is a great starting point for DORA and we note a good level of cross over in relation to the  governance requirements, mapping of systems, dependencies, resilience testing, etc. However, DORA requires a slightly different lens and it goes beyond the requirements in the Op Res guidance. Op Res focuses on the “Important business services” of which most organizations have 3 to 5, DORA focuses on critical or important functions which have a greater reach and therefore DORA has a much broader scope. Op Res is more customer focused whereas DORA looks at your financial impact, ability to meet your obligations under authorisation, robustness, and ability to provide services to your customers and the market impact.

Neil, can you give us one example of what is challenging firms as they get their arms around DORA?

The most significant aspects include the identification and mapping of your critical and important business functions. The DORA definition is very wide reaching.  This exercise should be fully documented outlining what is in and out of scope and the rationale to support each determination. Third party management is also a key area of concern given how interconnected our market is in this space.

Moira, this sounds like DORA is not just about compliance, but about business survival. Any final words?

Definitely, and it is also an opportunity.  We encourage organisations to embrace DORA not as an additional regulatory constraint but as an opportunity for financial entities to differentiate themselves by strengthening their operational resilience to IT, cybersecurity, business continuity and risks related to third parties. DORA covers much more than just IT, it has implications for many areas of your business, including those responsible for governance, risk and third party risk management, so start now.

Contributor Image

Contributor Profile

Marcos Zubrzycki

Marcos is an assurance senior manager with 24 years experience auditing investment funds both in the US and Ireland. Marcos is a member of the growing AWM Managed Services team at PwC Ireland delivering a broad range of managed services solutions across areas including financial statement preparation and oversight, data and digital solutions, regulatory compliance, tax reviews, AML/KYC, and global fund distribution services.

View Info
Contributor Image

Contributor Profile

Moira Cronin

Moira is the Digital Risk Partner leading our DORA offering at PwC Ireland. She has a team of IT and Cyber Risk specialists supporting her in assisting clients in preparation for DORA compliance. Moira is also a key leader on our DORA EMEA team of 400 PwC specialists across EMEA focusing on DORA and broader Digital Risk offerings.

View Bio
Contributor Image

Contributor Profile

Neil Redmond

Neil is the Cybersecurity GRC Lead and is responsible for leading projects on DORA and NIS 2 at PwC Ireland. Neil and his team have assisted clients in understanding their regulatory obligations and assisting with remediating them for third party risk, incident management and cybersecurity governance.

View Info
Disclaimer

Please note that the articles in this newsletter are thought leadership pieces contributed by organisations and individuals aimed at sharing industry insights and ideas. Their inclusion in this newsletter is not an endorsement of the content therein.

Irish Funds Spring Newsletter 2024

Read thought leadership pieces by our members on the EU's Digital Operational Resilience Act (DORA), the new Irish ELTIF regime, distribution, T+1, digital assets, AI, Active ETFs and more.

View Full Newsletter

Share: