Managing third-party risks for DORA in financial services

Andre Troskie, EMEA field Ciso, Veeam

DORA compliance extends beyond internal procedures, covering third-party service providers as well.

It’s here where most organisations risk tripping up in the initial stages of DORA enforcement.

With consequences ranging from significant fines to brand and reputational damage, it’s an issue that organisations can’t afford to overlook.

Unlike other sectors that also have to comply with NIS2, financial services by necessity are typically further ahead of the curve when it comes to regulatory compliance.

For many, DORA’s requirements will have been about building on (and proving) the strength of the foundations already in place.

Resilience testing

The main focus on DORA for financial services will likely instead be on operational resilience testing, ensuring internal awareness of different scenarios and their risk impacts.

Most financial institutions and banks will have felt confident in their scenario-based testing and, by extension, their compliance with DORA when the deadline passed this January.

And if the scope of DORA didn’t cover beyond internal organisation compliance, they would be right.

Unfortunately for most, DORA extends to cover all of an organisation’s third parties and supply chains - creating the risk of a pretty large potential blindspot.

Time to put the work in

Financial services organizations can do all the work they want ensuring internal compliance to DORA but unless their third-party and supply partners are also compliant, they will fail regardless.

And these are no small stakes.

According to EY’s Global Third-Party Risk Management Survey, in the US alone, 98% of financial services organisations have partnerships with third-party vendors.

Although they may not realise it, third parties are one of the biggest risks to FS organisations when it comes to DORA compliance.

Sadly, there is no quick fix.

Financial services organisations can’t afford to be under any illusions, this will be a necessary but significant piece of work.

Cementing DORA compliance as a pre-requisite will be essential for continued DORA compliance but will require collaborative work from across businesses.

Security, risk management, and legal teams will all need to band together to pull this off.

Double-duty for data resilience

Of course, even having DORA compliance confirmed amongst your third-party providers won’t make you completely invulnerable to cybersecurity threats.

But, it will put you in good stead when it comes to recovering from an attack.

After all, regulatory compliance has never equalled complete security.

DORA is more of an exercise in operational resilience improvement, which is a key piece of the puzzle for recovery from cyberattacks.

But this doesn’t mean that compliance should be an afterthought.

Around the clock to secure third parties

For financial services organisations to achieve compliance with DORA and secure their third parties, they’ll need to dedicate around-the-clock attention.

It’s not a one-and-done deal, it will be a reiterative and continual process to achieve compliance consistently across all providers.

That is if they want to avoid the chaos that 11,000 Starbucks stores dealt with when their third-party cloud provider was taken out by a ransomware attack last winter.

Sure, it’ll require a significant amount of resources to completely map out all of your third-party providers and introduce those contractual safeguards, but it’ll serve double duty.

Not only will you ensure compliance, but you’ll also cement robust data resilience as a backbone of your incident response plans.

Other benefits of compliance

Last year alone, the cost of downtime for financial services organizations was $152m.

So, if the worst does happen, you’ll want to be able to bounce back as quickly as possible or face adding to that number this year.

There are of course other benefits to compliance, primarily the avoidance of any consequences.

DORA in particular comes hand in hand with European Supervisory Authorities (ESAs) that will regularly check for compliance and hand down any relevant repercussions.

For financial services, if their external critical software providers don’t comply in time, they could face anything from a fine of 2% of their annual turnover to criminal charges.

Not a bulletproof vest

So yes, DORA compliance can’t bulletproof you against every threat out there but being able to prove that everything is in place and that it all works within the defined time frames, will set you up to recover as swiftly as possible from cyberattacks.

And, perhaps more prudently, it’ll prevent you from incurring any of the severe consequences attached to non-compliance.

Organisations need to step it up a notch when it comes to DORA compliance and, most importantly, ensure their third parties are along for the ride.